CRITICAL🇵🇱 Wersja polska

CVE-2026-2768

CVSS 10.0v3.1pub. 2026-02-24upd. 2026-06-30

Sandbox escape in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

🤖 AI Analysis
How it works

The vulnerability concerns improper access control (CWE-284) and insufficient defensive mechanisms (CWE-693) in the IndexedDB component responsible for local data storage. An attacker can exploit this vulnerability remotely, without authentication and without user interaction, to break out of the browser's isolated sandbox environment. Sandbox escape allows operations to be performed outside the application's restricted context, meaning the ability to impact host operating system resources.

Impact

Successful exploitation of this vulnerability may enable an attacker to gain complete control over the victim's system — including gaining access to data, modifying resources, and disrupting system operation. The attack vector is network-based, and the lack of privilege and user interaction requirements makes this vulnerability particularly dangerous.

Mitigation & patch

Immediate update to Firefox 148, Firefox ESR 140.8, Thunderbird 148, or Thunderbird 140.8 is required, where the vulnerability has been patched. Updates are available directly through Mozilla products' automatic update mechanism or from the manufacturer's websites in accordance with published security bulletins.

Who is affected

Mozilla Firefox (versions prior to 148), Mozilla Firefox ESR (versions prior to 140.8), Mozilla Thunderbird (versions prior to 148), Mozilla Thunderbird ESR (versions prior to 140.8)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 140.8.0< 148.0
  • Mozilla Thunderbird

    APP
    Mozilla
    < 140.8.0< 148.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...