CRITICAL🇵🇱 Wersja polska

CVE-2025-2857

CVSS 10.0v3.1pub. 2025-03-27upd. 2026-04-13

Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The original vulnerability was being exploited in the wild. *This only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 136.0.4, Firefox ESR 128.8.1, and Firefox ESR 115.21.1.

🤖 AI Analysis
How it works

A compromised Firefox child process manipulates Inter-Process Communication (IPC) in such a way that the parent process returns a system handle with unintentionally elevated privileges. Obtaining such a handle allows the child process to escape the sandbox isolation that Firefox applies to limit the scope of a potential attack. The error pattern was identified by Mozilla developers following analysis of the analogous vulnerability discovered in the Chrome engine (CVE-2025-2783). The vulnerability affects Windows only — other operating systems are not affected.

Impact

An attacker who has previously obtained code execution in a browser child process (e.g., through another vulnerability) can escape the sandbox and gain full access to the victim's operating system, which in practice means the ability to take control of the system, steal data, and install malicious software.

Mitigation & patch

Firefox must be updated immediately to version 136.0.4 or later. For the extended support branch (ESR): Firefox ESR 128.x — update to 128.8.1; Firefox ESR 115.x — update to 115.21.1. Patches are available through the browser's built-in update mechanism and on the Mozilla website (mfsa2025-19).

Who is affected

Mozilla Firefox on Windows — versions prior to Firefox 136.0.4, Firefox ESR 128.8.1, and Firefox ESR 115.21.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 136.0.4< 115.21.1128.1.0 – 128.8.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...