PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-0878 Mozilla CVE debrief

CVE-2026-0878 is a HIGH-severity vulnerability affecting Mozilla products. The issue is a sandbox escape caused by incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. The CVE was published on 2026-01-13 and modified on 2026-06-30. The CVSS score is 8, indicating a high severity level. The vulnerability is categorized under CWE-20 and CWE-119.

Vendor
Mozilla
Product
Firefox
CVSS
HIGH 8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-13
Original CVE updated
2026-06-30
Advisory published
2026-01-13
Advisory updated
2026-06-30

Who should care

Organizations and individuals using Mozilla Firefox, Firefox ESR, Thunderbird, or Thunderbird ESR should prioritize patching this vulnerability. The vulnerability's high severity and potential for sandbox escape make it a critical concern for defenders. Mozilla has provided patches for this issue, and users should update their software to the latest versions.

Technical summary

The CVE-2026-0878 vulnerability is caused by incorrect boundary conditions in the Graphics: CanvasWebGL component, leading to a sandbox escape. The vulnerability has a CVSS score of 8 and is categorized under CWE-20 and CWE-119. The attack vector is network-based, and the attack complexity is high. The vulnerability requires no privileges and user interaction is required. The scope is changed, and the impact on confidentiality, integrity, and availability is high.

Defensive priority

Defenders should prioritize patching CVE-2026-0878 due to its high severity and potential for sandbox escape. The vulnerability affects multiple Mozilla products, including Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR.

Recommended defensive actions

  • Apply patches for Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
  • Ensure all Mozilla products are updated to the latest versions.
  • Review and update vulnerability management processes to ensure timely patching of high-severity vulnerabilities.
  • Monitor for potential exploitation attempts and anomalous activity.
  • Consider implementing additional security controls, such as sandboxing and isolation, to mitigate the impact of a potential exploit.

Evidence notes

The CVE-2026-0878 vulnerability was published on 2026-01-13 and modified on 2026-06-30. The vulnerability has a CVSS score of 8 and is categorized under CWE-20 and CWE-119. The attack vector is network-based, and the attack complexity is high. The vulnerability requires no privileges and user interaction is required. The scope is changed, and the impact on confidentiality, integrity, and availability is high.

Official resources

This article is AI-assisted and based on the supplied source corpus.