Description
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
Published: 2025-12-09
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via sandbox escape
Action: Immediate Patch
AI Analysis

Impact

The CanvasWebGL component in Mozilla’s browsers and email client performs improper boundary checks, allowing a malicious actor to escape the sandbox and execute code or read local files. This defect is categorized as CWE‑754, an improper restriction of operations within the bounds of a resource. The consequence is the ability for an attacker to gain full remote code execution on a vulnerable system.

Affected Systems

Users of Mozilla Firefox versions before 146 (including ESR 115.x and ESR 140.x releases) and users of Mozilla Thunderbird versions before 146 (including ESR 140.x) are affected. All builds containing the CanvasWebGL component prior to the stated patch dates are vulnerable.

Risk and Exploitability

The vulnerability carries a high CVSS score of 8.0, reflecting significant potential impact. Its EPSS score is below 1 %, indicating a low probability of exploitation at this time, and it is not listed in the CISA KEV catalog. The likely attack vector involves loading a crafted WebGL scene from a malicious web page or an email attachment, which triggers the boundary error and causes the sandbox escape, potentially leading to arbitrary code execution.

Generated by OpenCVE AI on April 20, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Firefox 146 or newer, or to the latest ESR 115.31 or 140.6, and install the corresponding patch.
  • Update Thunderbird to version 146 or newer, or to the latest ESR 140.6, and apply the available fix.
  • If an update cannot be applied immediately, block or disable WebGL by setting "dom.webgl.enabled" to false in about:config or through a policy configuration to prevent exploitation via the CanvasWebGL component.

Generated by OpenCVE AI on April 20, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4401-1 firefox-esr security update
Debian DLA Debian DLA DLA-4405-1 thunderbird security update
Debian DSA Debian DSA DSA-6078-1 firefox-esr security update
Debian DSA Debian DSA DSA-6081-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

Wed, 10 Dec 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 10 Dec 2025 14:45:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, and Firefox ESR < 140.6. Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
References

Wed, 10 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 09 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-754
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 13:45:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, and Firefox ESR < 140.6.
Title Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:25:29.901Z

Reserved: 2025-12-09T13:37:54.554Z

Link: CVE-2025-14322

cve-icon Vulnrichment

Updated: 2025-12-09T15:37:07.838Z

cve-icon NVD

Status : Modified

Published: 2025-12-09T16:17:39.523

Modified: 2026-04-13T15:16:45.033

Link: CVE-2025-14322

cve-icon Redhat

Severity : Important

Publid Date: 2025-12-09T13:37:55Z

Links: CVE-2025-14322 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:45:12Z

Weaknesses