Firefox and Thunderbird: Graphics Vulnerability Allows Malicious Code Execution

Summary

Certain versions of Firefox and Thunderbird have a vulnerability in their graphics component that could allow malicious code to escape the browser's security sandbox, potentially leading to unauthorized access to sensitive information or system data. This affects users of outdated versions of the software, and we recommend updating to the latest version to ensure security. Users should update their software as soon as possible to prevent potential exploitation.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
mozilla	firefox	<= 115.33.0	–
mozilla	firefox	<= 148.0	–
mozilla	firefox	> 128.0 , <= 140.8.0	–
mozilla	thunderbird	<= 140.8.0	–
mozilla	thunderbird	<= 148.0	–

Original title

Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and...

Original description

Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

nvd CVSS3.1 10.0

Vulnerability type

CWE-1384

https://bugzilla.mozilla.org/show_bug.cgi?id=2011062 Issue Tracking Permissions Required
https://www.mozilla.org/security/advisories/mfsa2026-13/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2026-14/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2026-15/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2026-16/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2026-17/ Vendor Advisory