CRITICAL🇵🇱 Wersja polska

CVE-2026-2761

CVSS 10.0v3.1pub. 2026-02-24upd. 2026-06-30

Sandbox escape in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

🤖 AI Analysis
How it works

The vulnerability is located in the WebRender component responsible for graphics rendering. Its exploitation allows breaking through the process isolation mechanism (sandbox), which normally restricts the scope of code execution in a browser or mail client. The attack vector is network-based, requires no authentication or user interaction, and the scope of impact extends beyond the isolated component (Scope: Changed). Technical details of the vulnerability mechanism have not been disclosed.

Impact

An attacker can gain complete control over the victim's system, obtaining confidentiality, integrity, and availability at the highest level — corresponding to the ability to execute arbitrary code outside the sandbox environment. Successful exploitation of the vulnerability can lead to complete compromise of the operating system.

Mitigation & patch

Software must be immediately updated to the following versions: Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, or Thunderbird 140.8. Details available in Mozilla security advisories: mfsa2026-13, mfsa2026-14, mfsa2026-15, mfsa2026-16.

Who is affected

Mozilla Firefox prior to version 148, Mozilla Firefox ESR prior to versions 115.33 and 140.8, Mozilla Thunderbird prior to version 148, and Mozilla Thunderbird prior to version 140.8.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 115.33.0< 148.0128.0 – 140.8.0 (bez)
  • Mozilla Thunderbird

    APP
    Mozilla
    < 140.8.0< 148.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...