HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12295Published Modified CNA mozilla

CVE-2026-12295: Sandbox escape in the DOM: Navigation component

Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
115.37
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A sandbox escape vulnerability exists in the DOM Navigation component of Mozilla Firefox and Thunderbird. The flaw is reachable over the network without any authentication, but requires the victim to interact with attacker-controlled content, as indicated by the CVSS vector (AV:N/PR:N/UI:R). Successful exploitation allows a remote attacker to break out of the browser sandbox and gain high-impact access to confidentiality, integrity, and availability of the underlying system. Patched-image rebuilds at Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-12295 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds including Mozilla advisories and NVD, covering both official base images and custom-built images that bundle Firefox or Thunderbird. Any image in a customer registry or CI pipeline containing an affected version is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 Critical and applies per-environment compliance policy weighting to determine routing priority, surfacing findings to the appropriate team inbox within each customer organization. Security engineers can review matched images alongside the full CVSS vector breakdown directly in the HarborGuard console.

Available
Patch

A patched-image rebuild at Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, or Thunderbird 140.12 becomes available on HarborGuard for any environment running an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target over the network, for example by serving a malicious web page or email content to the victim.

  • AuthenticationNot required

    No account or credentials are needed; the attacker requires no prior authentication to the affected application.

  • Victim interactionRequired

    The victim must interact with attacker-controlled content, such as visiting a malicious URL or opening a crafted message, making social engineering a necessary part of the attack chain.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental factors to succeed.

Blast Radius

  • A successful attacker escapes the browser or mail-client sandbox entirely, gaining execution context outside its intended isolation boundary.
  • High confidentiality impact means the attacker reads files, credentials, and other data accessible to the user running Firefox or Thunderbird on the host.
  • High integrity impact means the attacker writes, modifies, or plants files and data on the host system under the victim user account.
  • High availability impact means the attacker crashes or disrupts the affected application and potentially other processes accessible from the escaped sandbox context.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12295 is active against all scanned images the moment the advisory enters the ingest pipeline. For environments running any unpatched version of Firefox or Thunderbird in a container image, HarborGuard can surface a patched rebuild at the fixed versions (Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, Thunderbird 140.12). Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression test run, and opens a pull request against affected workloads; for Critical-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who manage remediation manually can use the HarborGuard findings dashboard to prioritize by compliance policy weight and export affected image lists for their own patching workflow.

See how HarborGuard automates this

Fix available

115.37140.12152
Affected packages
  • Mozilla / Firefox
    Fixed in 115.37, 140.12, 152
  • Mozilla / Thunderbird
    Fixed in 140.12, 152
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References