Impact
The flaw occurs in Mozilla’s Security: Process Sandboxing component. It allows a sandboxed process to read data outside its intended scope, leading to information disclosure and potential sandbox escape. The weakness is classified as CWE‑269 (improper authorization controls) and CWE‑403 (improper restriction of operations within bounds of a user).
Affected Systems
Mozilla Firefox and Mozilla Thunderbird, including their main releases and ESR branches, are vulnerable. The vulnerability exists in versions before Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird ESR 140.12.
Risk and Exploitability
The CVSS score of 4.7 indicates moderate risk. The EPSS score of <1 % shows a very low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. No public details about specific attack conditions are available; the issue is limited to sandboxed processes that have not been updated to a fixed build.
OpenCVE Enrichment
Debian DLA
Debian DSA