Description
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Security: Process Sandboxing component of Mozilla Firefox permits an unauthenticated attacker to read protected data and escape the sandbox. The vulnerability compromises confidentiality by exposing information that should be confined to a separate process and weakens the isolation guarantees of the browser, potentially enabling broader attacks such as data exfiltration or privilege escalation within the browser environment.

Affected Systems

All installations of Mozilla Firefox that are older than version 151 or the extended‑support release 140.11 are affected. The issue was fixed in Firefox 151 and ESR 140.11, so upgrading to these or later releases removes the vulnerability.

Risk and Exploitability

No EPSS score is published and the vulnerability is not listed in the CISA KEV catalog, so formal exploitation likelihood cannot be quantified. The CVSS score is 8.6, indicating a high severity. The attack vector is not explicitly described; it is inferred that exploitation would require the attacker to trigger a vulnerable code path within the browser’s sandbox, potentially via a malicious web page or compromised component. No known public exploits are reported.

Generated by OpenCVE AI on May 19, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 151 or the ESR 140.11 release or later to obtain the sandbox fix.
  • Restart the browser after the update to activate the new sandbox configuration.
  • If an immediate update cannot be applied, consider disabling the sandbox or adjusting the sandbox policy to restrict file‑system access that is not required for normal operations.
  • Continuously monitor browser logs and network activity for anomalous patterns that might indicate exploitation attempts.

Generated by OpenCVE AI on May 19, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-668
CWE-693
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Title Information disclosure, sandbox escape in the Security: Process Sandboxing component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:50.174Z

Reserved: 2026-05-19T12:29:53.304Z

Link: CVE-2026-8958

cve-icon Vulnrichment

Updated: 2026-05-19T15:04:50.040Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T14:16:52.170

Modified: 2026-05-19T16:16:22.937

Link: CVE-2026-8958

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T16:45:06Z

Weaknesses