Description
Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.
Published: 2026-05-12
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Sandbox escape in the Profile Backup component of Mozilla Firefox and Thunderbird allows an attacker to break out of the application sandbox by manipulating backup data. The flaw is associated with CWE-653 (Untrusted File Content) and CWE-693 (Improper Authentication). If exploited, the attacker could execute arbitrary code with elevated privileges or compromise the confidentiality, integrity, and availability of the affected system.

Affected Systems

All Mozilla Firefox releases prior to version 150.0.3, including ESR 115.36 and ESR 140.11, and Thunderbird versions before 140.11 are impacted. The issue was fixed in Firefox 150.0.3, ESR 115.36, ESR 140.11, and Thunderbird 140.11.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, while the EPSS score of < 1% suggests a low but non-zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves processing a malicious backup file or triggering the backup functionality through an internal or remote debugging interface. If local or remote access to the user’s profile data is achieved, the attacker could potentially trigger the escape and execute code with elevated privileges.

Generated by OpenCVE AI on May 20, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the vendor patch by updating to Firefox 150.0.3, ESR 115.36, or ESR 140.11, depending on the environment.
  • If an upgrade cannot be applied immediately, disable the automatic profile backup feature or ensure that only trusted backup files are restored.
  • Reduce the risk by restricting file-system permissions on profile backup directories so that only trusted users can read or write them.
  • Verify that any custom backup handling restricts file operations to the sandboxed environment, following CWE-653 guidelines.

Generated by OpenCVE AI on May 20, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4592-1 firefox-esr security update
Debian DLA Debian DLA DLA-4594-1 thunderbird security update
Debian DSA Debian DSA DSA-6283-1 firefox-esr security update
Debian DSA Debian DSA DSA-6288-1 thunderbird security update
History

Wed, 20 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-653
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, and Firefox ESR 140.11. Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.
References

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3. Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, and Firefox ESR 140.11.
References

Fri, 15 May 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*

Thu, 14 May 2026 23:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 12 May 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 12 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 12 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3.
Title Sandbox escape in the Profile Backup component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:47.433Z

Reserved: 2026-05-12T14:19:41.837Z

Link: CVE-2026-8401

cve-icon Vulnrichment

Updated: 2026-05-14T16:45:19.819Z

cve-icon NVD

Status : Modified

Published: 2026-05-12T15:16:20.100

Modified: 2026-05-19T18:16:31.523

Link: CVE-2026-8401

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-12T14:24:33Z

Links: CVE-2026-8401 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T01:30:06Z

Weaknesses