The most recent Mozilla Firefox sandbox escape vulnerabilities were disclosed in January 2026 as part of Firefox security updates. These critical flaws affect multiple components and require immediate patching. No confirmed exploitation in the wild has been reported for these latest issues.
Recent Vulnerabilities (January 2026)
Mozilla addressed several sandbox escapes in Firefox updates announced around January 13-14, 2026.
- CVE-2026-0881: Sandbox escape in the Messaging System component (CVSS 10.0). A compromised content process can break out of the sandbox for arbitrary code execution.
- CVE-2026-0879: Sandbox escape from incorrect boundary conditions in the Graphics component (CVSS 9.8). Allows elevation to parent process or system access.
- CVE-2026-0880: Sandbox escape due to integer overflow in Graphics (high impact).
- CVE-2026-0878: Sandbox escape via incorrect boundary conditions in Graphics: CanvasWebGL.
Affected versions include Firefox before 147, ESR before 115.32 and 140.7.
Earlier Notable Case (March 2025)
CVE-2025-2857 involved an IPC flaw allowing sandbox escape on Windows (patched in Firefox 136.0.4). It mirrored a Chrome zero-day but lacked known exploits .
Mitigation Steps
Update to Firefox 147+ or ESR 115.32+ immediately. Monitor Mozilla advisories (MFSA 2026-01/02)
