CVE-2026-0881
Sandbox Escape in Firefox Messaging System Prior to
Publication date: 2026-01-13
Last updated on: 2026-04-13
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | firefox | to 147 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a sandbox escape in the Messaging System component of Firefox versions earlier than 147. It allows an attacker to break out of the restricted environment (sandbox) designed to isolate processes, potentially enabling them to execute arbitrary code or perform unauthorized actions outside the sandbox.
How can this vulnerability impact me? :
The vulnerability has a critical impact, with a CVSS score of 10.0, meaning it can be exploited remotely without any privileges or user interaction. Successful exploitation can lead to complete compromise of confidentiality, integrity, and availability of the affected system, allowing attackers to execute arbitrary code and take full control.
What immediate steps should I take to mitigate this vulnerability?
Update Firefox to version 147 or later, as the vulnerability affects Firefox versions prior to 147 and was fixed in Firefox 147. [1]