PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2768 Mozilla CVE debrief

CVE-2026-2768 is a critical vulnerability in the Storage: IndexedDB component of Mozilla Firefox and Thunderbird, allowing for a sandbox escape. The vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. This vulnerability has a CVSS score of 10 and a severity of CRITICAL. The CVE was published on 2026-02-24T14:16:25.183Z and last modified on 2026-06-30T03:18:17.470Z.

Vendor
Mozilla
Product
Firefox
CVSS
CRITICAL 10
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-24
Original CVE updated
2026-06-30
Advisory published
2026-02-24
Advisory updated
2026-06-30

Who should care

Organizations and individuals using Mozilla Firefox, Firefox ESR, and Thunderbird should prioritize patching this vulnerability to prevent potential sandbox escapes. Given the critical severity and CVSS score of 10, immediate attention is required. Users of Red Hat systems may also need to apply specific errata to address this issue.

Technical summary

The CVE-2026-2768 vulnerability is related to a sandbox escape in the Storage: IndexedDB component of Mozilla Firefox and Thunderbird. The vulnerability was addressed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating a high level of exploitability and potential impact. The CWE for this vulnerability is listed as CWE-284 and CWE-693.

Defensive priority

High priority should be given to patching CVE-2026-2768 due to its critical severity and CVSS score of 10. Organizations should ensure that all instances of Mozilla Firefox, Firefox ESR, and Thunderbird are updated to the patched versions.

Recommended defensive actions

  • Apply patches for Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
  • Ensure all instances of Mozilla Firefox, Firefox ESR, and Thunderbird are updated to the patched versions.
  • Review and apply Red Hat errata RHSA-2026:3338, RHSA-2026:3339, and others as necessary.
  • Monitor for any signs of exploitation or anomalous behavior in Firefox and Thunderbird.
  • Perform a thorough inventory check to ensure all affected systems are identified and patched.

Evidence notes

The CVE-2026-2768 vulnerability was identified in the Storage: IndexedDB component of Mozilla Firefox and Thunderbird. The vulnerability allows for a sandbox escape and has a CVSS score of 10. It was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. The CVE was published on 2026-02-24T14:16:25.183Z and last modified on 2026-06-30T03:18:17.470Z. Multiple references and errata are available for this vulnerability, including those from Mozilla and Red Hat.

Official resources

This article is AI-assisted and based on the supplied source corpus.