Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
The vulnerability results from improper verification of boundary conditions (CWE-754) and integer overflow (CWE-190) in the XPCOM component, which is responsible for communication between internal browser modules. Incorrect buffer boundary calculations lead to buffer overflow (CWE-120), which allows an attacker to execute code outside the isolated sandbox environment. The attack can be performed remotely, without authentication and without user interaction, and its effects extend beyond the application context itself (scope: changed, Scope: Changed).
An attacker can escape the sandbox mechanism of the browser or email client and gain the ability to execute arbitrary code in the context of the operating system, resulting in complete breach of confidentiality, integrity, and availability of the attacked system.
Software must be updated immediately to Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, or Thunderbird 140.9, in which the vulnerability has been fixed. Details are available in Mozilla security advisories: mfsa2026-20, mfsa2026-21, mfsa2026-22, mfsa2026-23.
Mozilla Firefox in versions before 149 and before Firefox ESR 115.34 and Firefox ESR 140.9; Mozilla Thunderbird in versions before 149 and before Thunderbird 140.9.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMozilla Firefox
APPMozilla< 115.34.0< 149.0128.0 – 140.9.0 (bez)Mozilla Thunderbird
APPMozilla< 140.9.0< 149.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...