CVE-2026-0880
Integer Overflow in Firefox Graphics Causes Sandbox Escape
Publication date: 2026-01-13
Last updated on: 2026-04-13
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | firefox | to 147 (exc) |
| mozilla | firefox_esr | to 115.32 (exc) |
| mozilla | firefox_esr | to 140.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a sandbox escape caused by an integer overflow in the Graphics component of Firefox. It affects Firefox versions prior to 147, Firefox ESR versions prior to 115.32, and Firefox ESR versions prior to 140.7. An integer overflow in this context means that a calculation exceeds the maximum size allowed for an integer, which can lead to unexpected behavior and potentially allow an attacker to break out of the browser's sandbox, gaining unauthorized access or control.
How can this vulnerability impact me? :
This vulnerability can have a high impact as it allows attackers to escape the browser's sandbox, potentially leading to full compromise of the affected system. The CVSS score of 8.8 indicates it can be exploited remotely with low complexity and no privileges required, but user interaction is needed. Successful exploitation can result in complete confidentiality, integrity, and availability loss, meaning attackers could execute arbitrary code, access sensitive information, or disrupt system operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update Firefox to version 147 or later, or Firefox ESR to version 115.32 or later, including ESR 140.7 or later. These versions include fixes that address the integer overflow sandbox escape vulnerability in the Graphics component. [2]