HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12297Published Modified CNA mozilla

CVE-2026-12297: Sandbox escape due to incorrect boundary conditions in the Networking component

Sandbox escape due to incorrect boundary conditions in the Networking component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
115.37
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a sandbox escape vulnerability in the Networking component of Mozilla Firefox and Thunderbird. It is reachable over the network with no authentication required, but does require a victim to interact with attacker-controlled content; the CVSS scope change flag indicates a successful exploit breaks out of the browser or email client sandbox into the host environment. Successful exploitation gives an attacker full read, write, and denial-of-service capability over the affected system. Patched-image rebuilds at Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-12297 is available across every HarborGuard environment, with the CVE matched against customer images, including custom-built images containing Firefox or Thunderbird, within minutes of publication from upstream advisory feeds. Any image layer carrying an affected Firefox or Thunderbird version is flagged automatically in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.6 Critical and weighting it against each customer organization's configured compliance policy to determine escalation priority. Routed findings land in the appropriate team inbox inside each customer org based on image ownership and policy rules.

Available
Patch

A patched-image rebuild targeting Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, or Thunderbird 140.12 becomes available on HarborGuard as soon as the upstream fix is confirmed in the ingest cycle. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim's browser or mail client over the network, for example by serving a malicious web page or HTML email from a remote host.

  • AuthenticationNot required

    No account or credential of any kind is needed; the attacker only needs the victim to load attacker-controlled content.

  • Victim interactionRequired

    The victim must take an action such as visiting a malicious URL or opening a crafted message, making social engineering a necessary part of exploitation.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental preconditions.

Blast Radius

  • Reads arbitrary files and sensitive data accessible to the browser or mail client process on the host, including session tokens, credentials stored on disk, and user documents.
  • Writes or modifies files on the host filesystem outside the sandbox boundary, enabling persistent implants or tampering with application data.
  • Crashes or denies service to the host-level process, not just the sandboxed tab or message context.
  • Because the CVSS scope is Changed, impact extends beyond the sandboxed application to other processes and resources on the underlying host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12297 is active across all customer registries and pipelines as of the advisory publication date, covering any image that packages Firefox or Thunderbird at an affected version. Given the Critical severity and Changed scope, this CVE is prioritized for fast-path triage routing. For customers with auto-remediation enabled, HarborGuard targets a patched rebuild at Firefox 152, ESR 140.12, or ESR 115.37 (and the equivalent Thunderbird releases), runs a regression test against the rebuilt image, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval before merging, the PR is opened and held for reviewer sign-off. Customers who cannot immediately update should consider network-policy controls that restrict outbound browser process connections and egress filtering on container workloads running these applications as a compensating control while the upgrade is validated.

See how HarborGuard automates this

Fix available

115.37140.12152
Affected packages
  • Mozilla / Firefox
    Fixed in 115.37, 140.12, 152
  • Mozilla / Thunderbird
    Fixed in 140.12, 152
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References