CVE-2026-8945 Mozilla CVE debrief

Who should care

Organizations and individuals using Firefox or Firefox Focus on Android, especially mobile security teams, endpoint administrators, and anyone managing app updates on managed Android devices.

Technical summary

NVD records CVE-2026-8945 as CVSS 3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H and maps it to CWE-693 (Protection Mechanism Failure) as a secondary weakness. The short description in the supplied corpus identifies the issue as a sandbox escape in Firefox and Firefox Focus for Android, fixed in Firefox 151. The NVD entry is still marked 'Awaiting Analysis,' so the public record in the supplied corpus is limited to the vendor advisory references and the CVSS/weakness metadata.

Defensive priority

High

Recommended defensive actions

• Update Firefox on Android to version 151 or later.
• Update Firefox Focus for Android to the fixed release available from the official app distribution channel.
• Prioritize remediation on managed Android fleets where browser isolation is relied on for tenant separation or phishing-risk reduction.
• Review Mozilla advisory MFSA2026-46 and the linked Bugzilla report for any release-specific deployment notes.
• If you maintain a vulnerability management program, mark the issue for prompt tracking because the CVSS score is 7.5 High and user interaction is required.

Evidence notes

All statements are based on the supplied NVD record and Mozilla references. The corpus explicitly says: 'Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151.' NVD metadata shows 'Awaiting Analysis,' CVSS 3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, and a secondary CWE-693 mapping. Vendor attribution in the supplied enrichment is low-confidence/needs review, so this debrief avoids asserting more than the corpus supports.

Official resources