Description
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Security: Process Sandboxing component allows an attacker to read protected data and escape from the sandbox. The vulnerability exposes information that should be confined to a separate browser process, compromising confidentiality and weakens the isolation guarantees that separate processes provide. The issue is fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

Affected Systems

All installations of Mozilla Firefox that are older than version 151 or the extended‑support release 140.11 and all installations of Mozilla Thunderbird that are older than version 151 or the ESR 140.11 are affected. The issue was fixed in Firefox 151 and ESR 140.11, and Thunderbird 151 and ESR 140.11, so upgrading to these or later releases removes the vulnerability.

Risk and Exploitability

The EPSS score of 0.00044 indicates an extremely low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, so formal exploitation likelihood cannot be quantified. The CVSS score is 8.6, indicating a high severity. The attack vector is not explicitly described; it is inferred that exploitation would require the attacker to trigger a vulnerable code path within the browser’s sandbox, potentially via a malicious web page or compromised component. No known public exploits are reported.

Generated by OpenCVE AI on May 22, 2026 at 02:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 151 or the ESR 140.11 release or later to obtain the sandbox fix.
  • Upgrade Thunderbird to version 151 or the ESR 140.11 release or later to obtain the sandbox fix.
  • Restart the browser after the update to activate the new sandbox configuration.
  • If an immediate update cannot be applied, consider disabling the sandbox or adjusting the sandbox policy to restrict file‑system access that is not required for normal operations.
  • Continuously monitor browser logs and network activity for anomalous patterns that might indicate exploitation attempts.

Generated by OpenCVE AI on May 22, 2026 at 02:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4592-1 firefox-esr security update
Debian DLA Debian DLA DLA-4594-1 thunderbird security update
Debian DSA Debian DSA DSA-6283-1 firefox-esr security update
Debian DSA Debian DSA DSA-6288-1 thunderbird security update
History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-403
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 20 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 19 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-668
CWE-693
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Title Information disclosure, sandbox escape in the Security: Process Sandboxing component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:50.174Z

Reserved: 2026-05-19T12:29:53.304Z

Link: CVE-2026-8958

cve-icon Vulnrichment

Updated: 2026-05-19T15:04:50.040Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:52.170

Modified: 2026-05-20T15:01:41.923

Link: CVE-2026-8958

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-19T12:29:54Z

Links: CVE-2026-8958 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T02:15:06Z

Weaknesses
  • CWE-403

    Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')

  • CWE-668

    Exposure of Resource to Wrong Sphere

  • CWE-693

    Protection Mechanism Failure