Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The original vulnerability was being exploited in the wild. *This only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 136.0.4, Firefox ESR 128.8.1, and Firefox ESR 115.21.1.
A compromised Firefox child process manipulates Inter-Process Communication (IPC) in such a way that the parent process returns a system handle with unintentionally elevated privileges. Obtaining such a handle allows the child process to escape the sandbox isolation that Firefox applies to limit the scope of a potential attack. The error pattern was identified by Mozilla developers following analysis of the analogous vulnerability discovered in the Chrome engine (CVE-2025-2783). The vulnerability affects Windows only — other operating systems are not affected.
An attacker who has previously obtained code execution in a browser child process (e.g., through another vulnerability) can escape the sandbox and gain full access to the victim's operating system, which in practice means the ability to take control of the system, steal data, and install malicious software.
Firefox must be updated immediately to version 136.0.4 or later. For the extended support branch (ESR): Firefox ESR 128.x — update to 128.8.1; Firefox ESR 115.x — update to 115.21.1. Patches are available through the browser's built-in update mechanism and on the Mozilla website (mfsa2025-19).
Mozilla Firefox on Windows — versions prior to Firefox 136.0.4, Firefox ESR 128.8.1, and Firefox ESR 115.21.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMozilla Firefox
APPMozilla< 136.0.4< 115.21.1128.1.0 – 128.8.1 (bez)
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...