CVE-2026-4692 is a sandbox escape vulnerability found in the Responsive Design Mode component of Mozilla Firefox. The flaw allows an attacker to bypass sandbox restrictions, which are designed to isolate browser processes and limit the impact of malicious code. This vulnerability was reported by Tom Ritter and is classified as high impact. It was addressed and fixed in Firefox 149 and corresponding ESR and Thunderbird versions. The CVSS 3.1 base score is 9.6, reflecting critical severity with network attack vector, low attack complexity, no privileges required, user interaction required, and complete confidentiality, integrity, and availability impact. The vendor advisory from Mozilla explicitly lists this vulnerability among multiple high-impact fixes in the Firefox 149 release.

Successful exploitation of CVE-2026-4692 could allow an attacker to escape the Firefox sandbox, potentially leading to arbitrary code execution with the privileges of the user running the browser. This could result in full system compromise, data theft, or further attacks on the host system. The vulnerability is rated critical with a CVSS score of 9.6. No evidence of exploitation in the wild has been reported so far.

Mozilla has released official fixes for this vulnerability in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. Users and administrators should update to these versions or later to remediate the vulnerability. Since this is not a cloud service, patching the client software is required. No additional mitigation steps are indicated by the vendor advisory.