Description
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Published: 2026-06-16
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability enables an attacker to read sensitive information from the sandboxed environment and potentially escape the sandbox, exposing data that otherwise would be protected. The weakness is rooted in information exposure (CWE‑200), unnecessary privilege escalation via sandbox escape (CWE‑688), and improper handling of privileged data that can lead to accidental disclosure (CWE‑243). As a result, confidentiality of user data and the integrity of the sandboxed process may be compromised.

Affected Systems

Firefox browser versions earlier than 152 (including ESR 140.12) and Thunderbird mail client versions earlier than 152 (including ESR 140.12) are impacted. All standard releases of these products that have not applied the fix remain vulnerable.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate severity, and the EPSS score of less than 1% suggests low likelihood of attack at present. The vulnerability is not listed in the CISA KEV catalog. It is inferred that an attacker would need to execute malicious code within the sandbox—either locally or via compromised content—to exploit the escape; remote exploitation through external input is not explicitly documented.

Generated by OpenCVE AI on June 18, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 152 or later and Thunderbird 152 or later, including ESR 140.12 versions;
  • If a prompt upgrade is not yet possible, disable add‑ons or extensions that load external content into the sandboxed process to reduce attack surface;
  • Continuously monitor system and application logs for unusual sandbox failures or inter‑process communication that may indicate a sandbox escape attempt.

Generated by OpenCVE AI on June 18, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4635-1 firefox-esr security update
Debian DLA Debian DLA DLA-4636-1 thunderbird security update
Debian DSA Debian DSA DSA-6350-1 firefox-esr security update
Debian DSA Debian DSA DSA-6351-1 thunderbird security update
History

Thu, 18 Jun 2026 16:45:00 +0000


Tue, 16 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12. Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
References

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-688
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Title Information disclosure, sandbox escape in the Security: Process Sandboxing component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-16T16:08:37.133Z

Reserved: 2026-06-15T15:08:15.120Z

Link: CVE-2026-12311

cve-icon Vulnrichment

Updated: 2026-06-16T14:57:46.152Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-16T13:16:31.677

Modified: 2026-06-16T20:45:26.677

Link: CVE-2026-12311

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-16T11:52:44Z

Links: CVE-2026-12311 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:30:15Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-243

    Creation of chroot Jail Without Changing Working Directory

  • CWE-688

    Function Call With Incorrect Variable or Reference as Argument