HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12296Published Modified CNA mozilla

CVE-2026-12296: Sandbox escape in the Security: Process Sandboxing component

Sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
140.12
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A sandbox escape vulnerability exists in the Security: Process Sandboxing component of Mozilla Firefox and Thunderbird. The flaw is reachable over the network, requires no authentication, but does require a user to interact with malicious content (for example, visiting a crafted page or opening a crafted message). Successful exploitation lets an attacker break out of the browser or email client sandbox and gain full read, write, and availability impact on the host, including reading files and credentials, modifying data, and crashing processes. A patched-image rebuild at Firefox 152 and Firefox ESR 140.12 (and the equivalent Thunderbird versions) is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Firefox or Thunderbird. Any image containing an affected version is flagged automatically in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 Critical and surfaces it with that severity weighting in each customer environment, adjusted further by any per-environment compliance policy rules. Triage findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12 is available on HarborGuard for environments running any affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against it, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable component is exposed over the network, so an attacker must be able to reach the target's browser or email client via a network-delivered payload such as a malicious website or email.

  • AuthenticationNot required

    No account or credentials are needed; the attacker can target any user without prior access to the system.

  • Victim interactionRequired

    The attacker must socially engineer the victim into triggering the exploit, for example by convincing them to visit a crafted web page or open a crafted email message.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout assumptions, or other environmental factors to succeed.

Blast Radius

  • Reads arbitrary files and sensitive data accessible to the sandboxed process, including stored credentials and session tokens.
  • Modifies files and data on the host that the escaped process can reach, enabling persistent changes outside the sandbox boundary.
  • Crashes or disrupts the affected Firefox or Thunderbird process and any dependent services, causing denial of service.
  • Scope is marked Changed (S:C), meaning impact extends beyond the sandboxed component itself to the underlying host or other processes sharing the system.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12296 is active against all scanned images the moment the CVE enters the upstream feed. For environments running any affected Firefox or Thunderbird version, a patched-image rebuild at the fixed versions (Firefox 152, Firefox ESR 140.12, Thunderbird 152, Thunderbird 140.12) is available immediately. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs regression tests, and opens a pull request against affected workloads; for Critical-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS 9.6 Critical priority so security teams can act manually. Given the Changed scope and network-reachable attack surface, customers without an immediate upgrade path should consider restricting network access to systems running affected versions and applying content-security or egress filtering as compensating controls while a rebuild is prepared.

See how HarborGuard automates this

Fix available

140.12152
Affected packages
  • Mozilla / Firefox
    Fixed in 140.12, 152
  • Mozilla / Thunderbird
    Fixed in 140.12, 152
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References