PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-0879 Mozilla CVE debrief

CVE-2026-0879 is a critical vulnerability in Mozilla Firefox, allowing for sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. The vulnerability has a CVSS score of 9.8 and is considered critical. The CVE record was published on January 13, 2026, and last modified on June 30, 2026.

Vendor
Mozilla
Product
Firefox
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-13
Original CVE updated
2026-06-30
Advisory published
2026-01-13
Advisory updated
2026-06-30

Who should care

Organizations and individuals using Mozilla Firefox, Firefox ESR, Thunderbird, or Thunderbird ESR should prioritize patching this vulnerability to prevent potential sandbox escapes. This vulnerability is particularly concerning due to its critical severity and potential for exploitation.

Technical summary

CVE-2026-0879 is a critical vulnerability in the Graphics component of Mozilla Firefox, allowing for sandbox escape due to incorrect boundary conditions. The vulnerability has a CVSS score of 9.8 and is considered critical. The affected products include Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR. The vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

Defensive priority

High priority should be given to patching CVE-2026-0879, as it is a critical vulnerability with a high CVSS score. Organizations should ensure that all affected products are updated to the latest versions to prevent potential exploitation.

Recommended defensive actions

  • Patch Firefox to version 147 or later
  • Patch Firefox ESR to version 115.32 or later
  • Patch Firefox ESR to version 140.7 or later
  • Patch Thunderbird to version 147 or later
  • Patch Thunderbird ESR to version 140.7 or later

Evidence notes

The CVE record was published on January 13, 2026, and last modified on June 30, 2026. The vulnerability has a CVSS score of 9.8 and is considered critical. The affected products include Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR.

Official resources

This article is AI-assisted and based on the supplied source corpus.