CVE-2026-0878 is a sandbox escape vulnerability in Mozilla Firefox's Graphics: CanvasWebGL component caused by incorrect boundary conditions. This memory safety issue could allow an attacker to escape the sandbox and potentially execute arbitrary code. The vulnerability affects Firefox versions prior to 147 and Firefox ESR prior to 140.7. Mozilla fixed this vulnerability in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird ESR 140.7. The CVSS v3.1 base score is 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N), reflecting a high-severity remote vulnerability requiring user interaction with high impact on confidentiality and integrity. No known exploits have been reported in the wild. The vendor advisory is the authoritative source confirming the fix.

The vulnerability allows sandbox escape due to incorrect boundary conditions in the CanvasWebGL graphics component, which can lead to high-impact consequences including potential arbitrary code execution with elevated privileges. The CVSS score of 8.0 reflects high confidentiality and integrity impact, with no availability impact. Exploitation requires user interaction and has a high attack complexity. No known active exploitation has been reported.

A fix is available and has been officially released by Mozilla. Users and administrators should update to Firefox 147 or Firefox ESR 140.7 (and corresponding Thunderbird versions) to remediate this vulnerability. No additional mitigation is required beyond applying the official update as the vendor advisory confirms the issue is fixed in these versions.