Description
Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
Published: 2026-01-13
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Sandbox escape enabling execution of code outside the application sandbox
Action: Immediate Patch
AI Analysis

Impact

A flaw in the graphics component allows incorrect handling of boundary conditions, which can lead to a sandbox escape. Exploitation would give an attacker the ability to execute arbitrary code outside the confined environment of the application, potentially compromising the entire host system or any processes the user runs. The vulnerability is a classic example of unsafe memory manipulation under CWE-119, which directly threatens confidentiality, integrity, and availability of the affected machine.

Affected Systems

Mozilla products including Firefox and Thunderbird are affected. The issue exists in all releases of Firefox and Thunderbird predating the security fixes. The fixes were rolled out in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7, so any version older than those is vulnerable.

Risk and Exploitability

The CVSS score of 9.8 marks it as a critical severity. However, the EPSS score of less than 1% indicates a low current exploitation probability. It is not listed in the KEV catalog, implying no confirmed active exploits at the moment. The attack vector is likely local or remote content exploitation; a malicious web page or message that renders graphics could trigger the boundary check bypass. Given the lack of known public exploits, the risk remains primarily theoretical, but the severity calls for rapid action.

Generated by OpenCVE AI on April 15, 2026 at 15:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 147 or later, or to Firefox ESR 115.32 / 140.7
  • Upgrade to Thunderbird 147 or later, or to Thunderbird ESR 140.7
  • Apply the official security update through the update manager or install the latest release version

Generated by OpenCVE AI on April 15, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4439-1 firefox-esr security update
Debian DLA Debian DLA DLA-4442-1 thunderbird security update
Debian DSA Debian DSA DSA-6101-1 firefox-esr security update
Debian DSA Debian DSA DSA-6103-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Thu, 15 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, and Firefox ESR < 140.7. Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
References

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, and Firefox ESR < 140.7.
Title Sandbox escape due to incorrect boundary conditions in the Graphics component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:42.642Z

Reserved: 2026-01-13T13:30:53.990Z

Link: CVE-2026-0879

cve-icon Vulnrichment

Updated: 2026-01-13T18:38:03.602Z

cve-icon NVD

Status : Modified

Published: 2026-01-13T14:16:38.463

Modified: 2026-04-13T15:17:16.533

Link: CVE-2026-0879

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-13T13:30:54Z

Links: CVE-2026-0879 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:30:10Z

Weaknesses