Description
Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Thunderbird 150, and Firefox ESR 140.10.1.
Published: 2026-04-28
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: Sandbox escape
Action: Immediate Patch
AI Analysis

Impact

The vulnerability described as a sandbox escape due to incorrect boundary conditions in the WebRTC networking component allows an attacker to breach the isolation provided by WebRTC, potentially executing code or accessing data beyond intended memory limits. Such exploitation could corrupt application state, elevate privileges within the browser context, or allow arbitrary code execution inside the sandboxed environment. The issue was fixed in Firefox 150, Thunderbird 150, and Firefox ESR 140.10.1.

Affected Systems

Mozilla Firefox, all releases prior to version 150 and the ESR 140.10.1 build, and Mozilla Thunderbird, all releases prior to version 150, are affected. Any system running an affected build with WebRTC enabled is potentially vulnerable. Users on other browsers are not impacted.

Risk and Exploitability

The CVSS score of 9.6 denotes a very high severity risk. EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, implying no publicly documented exploits. Attackers could exploit this sandbox escape by sending malicious WebRTC traffic to a vulnerable browser with the component enabled, which could lead to arbitrary code execution within the browser context. The likely attack vector is inferred from the description, as it is not explicitly stated in the input.

Generated by OpenCVE AI on April 29, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to ESR 140.10.1 or later to receive the vendor’s fix.
  • Update Thunderbird to version 150 or later to receive the vendor’s fix.
  • If an update cannot be applied immediately, disable WebRTC by altering the about:config setting \"media.peerconnection.enabled\" to false to block the component that contains the flaw.
  • Continue to monitor Mozilla security advisories for additional patches or guidance.

Generated by OpenCVE AI on April 29, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 06:00:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox ESR 140.10.1. Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Thunderbird 150, and Firefox ESR 140.10.1.
References

Tue, 28 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox ESR 140.10.1.
Title Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-29T05:43:23.903Z

Reserved: 2026-04-28T13:42:16.846Z

Link: CVE-2026-7321

cve-icon Vulnrichment

Updated: 2026-04-28T14:48:26.139Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T15:16:37.550

Modified: 2026-04-29T06:16:08.357

Link: CVE-2026-7321

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T08:00:06Z

Weaknesses