Sandbox escape in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
The vulnerability is located in the WebRender component responsible for graphics rendering. Its exploitation allows breaking through the process isolation mechanism (sandbox), which normally restricts the scope of code execution in a browser or mail client. The attack vector is network-based, requires no authentication or user interaction, and the scope of impact extends beyond the isolated component (Scope: Changed). Technical details of the vulnerability mechanism have not been disclosed.
An attacker can gain complete control over the victim's system, obtaining confidentiality, integrity, and availability at the highest level — corresponding to the ability to execute arbitrary code outside the sandbox environment. Successful exploitation of the vulnerability can lead to complete compromise of the operating system.
Software must be immediately updated to the following versions: Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, or Thunderbird 140.8. Details available in Mozilla security advisories: mfsa2026-13, mfsa2026-14, mfsa2026-15, mfsa2026-16.
Mozilla Firefox prior to version 148, Mozilla Firefox ESR prior to versions 115.33 and 140.8, Mozilla Thunderbird prior to version 148, and Mozilla Thunderbird prior to version 140.8.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMozilla Firefox
APPMozilla< 115.33.0< 148.0128.0 – 140.8.0 (bez)Mozilla Thunderbird
APPMozilla< 140.8.0< 148.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...