HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12294Published Modified CNA mozilla

CVE-2026-12294: Sandbox escape in the DOM: Workers component

Sandbox escape in the DOM: Workers component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
115.37
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A sandbox escape vulnerability exists in the DOM Workers component of Mozilla Firefox and Thunderbird. The flaw is reachable over the network without any authentication, but requires a user to interact with attacker-controlled content, such as visiting a malicious page or opening a crafted message. Successful exploitation gives an attacker full confidentiality, integrity, and availability impact across the browser or mail client process boundary, escaping the sandbox entirely. A patched-image rebuild at fix versions Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 140.12 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Firefox or Thunderbird. Any image carrying an affected version is flagged immediately in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at 9.6 CRITICAL using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. The resulting finding is delivered to the appropriate team inbox inside each customer organization based on their configured policy.

Available
Patch

A patched-image rebuild at Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, or Thunderbird 140.12 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, the platform performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable component is exposed over the network, meaning an attacker can deliver a malicious payload by hosting it on a remote server reachable by the victim's browser or mail client.

  • AuthenticationNot required

    No account or credential of any kind is needed before the attacker can attempt exploitation.

  • Victim interactionRequired

    The victim must take an action, such as visiting an attacker-controlled web page or opening a crafted email message, for the exploit to trigger.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other unpredictable environmental factors.

Blast Radius

  • A successful attacker escapes the browser or mail client sandbox and gains the ability to read any data accessible to the host process, including stored credentials, cookies, and local files.
  • The attacker can write or modify data within the host process context, including persisting malicious content or altering application state.
  • The attacker can crash or disrupt the affected Firefox or Thunderbird process, causing a denial of service for the end user.
  • Because the scope token is Changed (S:C), impact extends beyond the sandboxed component itself, meaning the attacker can affect resources outside the original security boundary of the browser worker context.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical sandbox escape is active against all scanned images the moment the CVE is ingested. For environments running container images that bundle Firefox or Thunderbird at any version prior to the fix versions, a patched rebuild targeting Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, or Thunderbird 140.12 is available immediately. For customers who opt into auto-remediation, HarborGuard performs the image rebuild, executes a regression run, and opens a pull request against affected workloads; for high and critical severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the configured team inbox with full CVSS context and remediation instructions attached.

See how HarborGuard automates this

Fix available

115.37140.12152
Affected packages
  • Mozilla / Firefox
    Fixed in 115.37, 140.12, 152
  • Mozilla / Thunderbird
    Fixed in 140.12, 152
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References