Description
Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows code to escape the Firefox sandbox, giving an attacker the ability to execute arbitrary instructions on the host. The impact includes full compromise of confidentiality, integrity, and availability for the affected user, as the sandbox boundary is removed and potentially sensitive system resources become accessible. The weakness corresponds to improper privilege handling that permits code beyond its intended isolation to run with elevated privileges.

Affected Systems

Mozilla Firefox and Firefox Focus on Android are affected. The vulnerability was fixed in Firefox 151, implying all earlier releases are vulnerable. No specific version ranges are listed, so it is recommended to treat all versions prior to 151 as affected.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, so publicly known exploitation data is limited. The CVSS score of 7.5 indicates high severity. Nonetheless, the nature of a sandbox escape indicates a high potential for serious compromise. The likely attack vector is inferred to be the delivery of malicious web content or extensions that trigger the escape, as is common with browser sandbox vulnerabilities. No additional exploitation prerequisites are documented in the provided description.

Generated by OpenCVE AI on May 19, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 151 or newer, which contains the fixed sandbox implementation.
  • Upgrade Firefox Focus on Android to the latest release available through the Play Store.
  • Follow the vendor’s general security best practices—enable safe browsing, keep TLS and update settings enabled—to reduce the chance that malicious content could exploit this weakness until a patch is applied.

Generated by OpenCVE AI on May 19, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla firefox Focus
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:android:*:*
Vendors & Products Mozilla firefox Focus

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-250
CWE-285

Tue, 19 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses CWE-250
CWE-285
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151.
Title Sandbox escape in Firefox and Firefox Focus for Android
References

Subscriptions

Mozilla Firefox Firefox Focus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-26T17:47:40.476Z

Reserved: 2026-05-19T12:29:34.019Z

Link: CVE-2026-8945

cve-icon Vulnrichment

Updated: 2026-05-19T15:12:02.629Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:50.687

Modified: 2026-05-21T20:56:23.557

Link: CVE-2026-8945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T19:30:12Z

Weaknesses
  • CWE-693

    Protection Mechanism Failure