Description
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Published: 2026-06-16
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw occurs in Mozilla’s Security: Process Sandboxing component. It allows a sandboxed process to read data outside its intended scope, leading to information disclosure and potential sandbox escape. The weakness is classified as CWE‑269 (improper authorization controls) and CWE‑403 (improper restriction of operations within bounds of a user).

Affected Systems

Mozilla Firefox and Mozilla Thunderbird, including their main releases and ESR branches, are vulnerable. The vulnerability exists in versions before Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird ESR 140.12.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate risk. The EPSS score of <1 % shows a very low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. No public details about specific attack conditions are available; the issue is limited to sandboxed processes that have not been updated to a fixed build.

Generated by OpenCVE AI on June 18, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Firefox 152, Firefox ESR 140.12, Thunderbird 152, or Thunderbird ESR 140.12 to apply the vendor fix.
  • If an immediate update is not feasible, restrict sandboxed processes by applying host‑level security policies such as SELinux or AppArmor to limit file access.
  • Review installed extensions or add‑ons that run with elevated privileges and consider disabling them until the software is patched, to reduce the chance that a malicious sandboxed process could gain additional access.

Generated by OpenCVE AI on June 18, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4635-1 firefox-esr security update
Debian DLA Debian DLA DLA-4636-1 thunderbird security update
Debian DSA Debian DSA DSA-6350-1 firefox-esr security update
Debian DSA Debian DSA DSA-6351-1 thunderbird security update
History

Thu, 18 Jun 2026 16:45:00 +0000


Tue, 16 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12. Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
References

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Title Information disclosure, sandbox escape in the Security: Process Sandboxing component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-16T16:08:38.239Z

Reserved: 2026-06-15T15:08:15.915Z

Link: CVE-2026-12313

cve-icon Vulnrichment

Updated: 2026-06-16T14:32:00.303Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-16T13:16:31.920

Modified: 2026-06-16T20:46:21.827

Link: CVE-2026-12313

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-16T11:52:46Z

Links: CVE-2026-12313 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:30:15Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-403

    Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')