CVE-2026-2778: Vulnerability in Mozilla Firefox
Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
AI Analysis
Technical Summary
CVE-2026-2778 is a critical vulnerability in Mozilla Firefox's DOM: Core & HTML component caused by incorrect boundary conditions, leading to a sandbox escape. This flaw could allow an attacker to bypass sandbox restrictions, potentially executing arbitrary code or escalating privileges within the browser environment. The vulnerability has a CVSS v3.1 base score of 10.0, reflecting its critical impact and ease of exploitation. Mozilla addressed this issue in Firefox 148 and corresponding ESR and Thunderbird versions. The vendor advisory explicitly lists this vulnerability among multiple high-impact security fixes released simultaneously. No known active exploitation has been reported.
Potential Impact
Successful exploitation of CVE-2026-2778 could allow an attacker to escape the browser sandbox, potentially leading to arbitrary code execution with the privileges of the user running Firefox. This compromises confidentiality, integrity, and availability of the affected system. Given the critical CVSS score of 10.0, the impact is severe. However, no known exploits in the wild have been reported at the time of disclosure.
Mitigation Recommendations
An official fix is available and has been released by Mozilla in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. Users and administrators should update to these versions or later to remediate this vulnerability. There are no vendor indications that additional mitigation steps are required beyond applying the update.
CVE-2026-2778: Vulnerability in Mozilla Firefox
Description
Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-2778 is a critical vulnerability in Mozilla Firefox's DOM: Core & HTML component caused by incorrect boundary conditions, leading to a sandbox escape. This flaw could allow an attacker to bypass sandbox restrictions, potentially executing arbitrary code or escalating privileges within the browser environment. The vulnerability has a CVSS v3.1 base score of 10.0, reflecting its critical impact and ease of exploitation. Mozilla addressed this issue in Firefox 148 and corresponding ESR and Thunderbird versions. The vendor advisory explicitly lists this vulnerability among multiple high-impact security fixes released simultaneously. No known active exploitation has been reported.
Potential Impact
Successful exploitation of CVE-2026-2778 could allow an attacker to escape the browser sandbox, potentially leading to arbitrary code execution with the privileges of the user running Firefox. This compromises confidentiality, integrity, and availability of the affected system. Given the critical CVSS score of 10.0, the impact is severe. However, no known exploits in the wild have been reported at the time of disclosure.
Mitigation Recommendations
An official fix is available and has been released by Mozilla in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. Users and administrators should update to these versions or later to remediate this vulnerability. There are no vendor indications that additional mitigation steps are required beyond applying the update.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mozilla
- Date Reserved
- 2026-02-19T15:06:06.469Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 699daf6fbe58cf853bdde1d8
Added to database: 2/24/2026, 2:02:23 PM
Last enriched: 4/22/2026, 6:24:19 AM
Last updated: 5/26/2026, 7:54:57 AM
Views: 215
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.