CVE-2026-10701: Incorrect boundary conditions in the Graphics: Text component
Incorrect boundary conditions in the Graphics: Text component. This vulnerability was fixed in Firefox 151.0.3.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 151.0.3
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An incorrect boundary condition in the Graphics: Text component of Mozilla Firefox allows a remote attacker to reach the affected service over the network without any authentication. Successful exploitation results in high-impact confidentiality loss, meaning an attacker can read sensitive data from the affected browser process. A patched-image rebuild at Firefox 151.0.3 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-10701 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built images that bundle Firefox. Coverage extends to both registry scans and inline pipeline checks at build time.
AvailableCVE-2026-10701 is scored at 7.5 HIGH under CVSS v3.1, and that score is applied automatically during triage with weighting adjusted by each customer environment's compliance policy. Findings are routed to the appropriate team inbox within the customer org based on image ownership and severity thresholds.
AvailableA patched-image rebuild at Firefox 151.0.3 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected Firefox instance over the network, as the CVSS vector specifies AV:N (network-adjacent exposure is sufficient, no physical or local access required).
- AuthenticationNot required
No credentials or prior account access are needed; the vulnerability is reachable by any unauthenticated party that can send requests to the affected service (PR:N).
- Victim interactionNot required
No user action such as clicking a link or opening a file is required to trigger the vulnerability (UI:N).
- Attack complexityDetail
Exploitation is reliable and condition-free with no race conditions or special environmental dependencies required (AC:L).
Blast Radius
- An attacker reads sensitive data from the Firefox browser process, which may include in-memory session tokens, cached credentials, or private browsing content.
- Confidentiality impact is rated High, meaning the attacker gains access to a significant portion of the data accessible within the affected process, not just isolated fragments.
- Integrity and availability are unaffected according to the CVSS vector, so the attacker cannot modify data or crash the service through this vulnerability alone.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-10701 activates within minutes of CVE publication and matches against all customer images containing Firefox, including custom-built images. Where a fix version (151.0.3) is confirmed, a patched-image rebuild becomes available immediately. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, runs regression tests, and opens a pull request against affected workloads; for high-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers whose compliance policy requires manual approval receive a flagged finding routed to the appropriate team inbox for review and sign-off before any image replacement occurs.
Fix available
- Mozilla / FirefoxFixed in 151.0.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N