Description
Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
Published: 2026-01-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Sandbox Escape
Action: Apply Patch
AI Analysis

Impact

An integer overflow within the graphics subsystem can cause the sandbox that normally isolates web content or email attachments to escape, allowing code to run with the privileges of the host application. This flaw, identified as CWE‑190, does not inherently grant unrestricted code execution, but it enables the attacker to break out of the sandboxed environment used by Firefox or Thunderbird.

Affected Systems

All versions of Mozilla Firefox released before 147, as well as the ESR releases prior to 115.32 (Firefox ESR 115) and prior to 140.7 (Firefox ESR 140), are vulnerable. The same applies to Thunderbird versions preceding 147 and the ESR 140.7 release. Users running these older builds need to upgrade to a patched version to eliminate the integer‑overflow weakness.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity. However, the EPSS indicates a low exploitation probability (less than 1 %). The vulnerability is not listed in CISA’s KEV catalog. Attackers would most likely trigger the overflow by supplying malicious graphics or image data, such as on a compromised web page or through a crafted email attachment; this inference is based on the nature of the flaw.

Generated by OpenCVE AI on April 15, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 147 or newer, or upgrade to the ESR releases 115.32 or 140.7, to eliminate the graphics integer‑overflow flaw.
  • Update Mozilla Thunderbird to version 147 or newer, or upgrade to ESR 140.7, to apply the same fix.
  • If an immediate update is not possible, configure the application to block or restrict rendering of untrusted graphic content, and monitor Mozilla security advisories for further guidance.

Generated by OpenCVE AI on April 15, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4439-1 firefox-esr security update
Debian DLA Debian DLA DLA-4442-1 thunderbird security update
Debian DSA Debian DSA DSA-6101-1 firefox-esr security update
Debian DSA Debian DSA DSA-6103-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Thu, 15 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, and Firefox ESR < 140.7. Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
References

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, and Firefox ESR < 140.7.
Title Sandbox escape due to integer overflow in the Graphics component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:44.559Z

Reserved: 2026-01-13T13:30:54.411Z

Link: CVE-2026-0880

cve-icon Vulnrichment

Updated: 2026-01-13T18:41:07.412Z

cve-icon NVD

Status : Modified

Published: 2026-01-13T14:16:38.557

Modified: 2026-04-13T15:17:16.710

Link: CVE-2026-0880

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-13T13:30:54Z

Links: CVE-2026-0880 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses