CVE-2026-8953
Sandbox Escape via Use-After-Free in Firefox
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | firefox | From 140.0 (inc) to 140.11.0 (exc) |
| mozilla | firefox | to 151.0.0 (exc) |
| mozilla | firefox | to 115.36.0 (exc) |
| mozilla | thunderbird | to 140.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a sandbox escape due to a use-after-free in the Disability Access APIs component, which has a high CVSS score indicating critical impact on confidentiality, integrity, and availability.
Such a vulnerability could potentially allow attackers to execute arbitrary code and escape sandbox protections, leading to unauthorized access or manipulation of sensitive data.
This kind of security flaw may impact compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.
However, the provided information does not explicitly describe the direct effects on compliance with these regulations.
Can you explain this vulnerability to me?
This vulnerability is a sandbox escape caused by a use-after-free issue in the Disability Access APIs component of Firefox. A use-after-free occurs when a program continues to use memory after it has been freed, which can lead to unexpected behavior or security issues.
How can this vulnerability impact me? :
This vulnerability could allow an attacker to escape the browser's sandbox, potentially leading to execution of arbitrary code or gaining higher privileges on the affected system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Firefox to version 151 or later, or update Firefox ESR to version 115.36 or later, or ESR 140.11 or later, where the issue has been fixed.