CVE-2025-13026 – This CVE describes a sandbox escape vulnerabili... (How to Fix)

Q: How do I fix CVE-2025-13026?

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to version 145. 4. Restart browser/email client.

Q: What is the severity of CVE-2025-13026?

CVE-2025-13026 has a CVSS score of 9.8 (CRITICAL). This CVE describes a sandbox escape vulnerability in Firefox and Thunderbird's WebGPU component due to incorrect boundary conditions. Attackers can exploit this to break out of browser sandbox protections and execute arbitrary code on affected systems. All users running Firefox < 145 or Thunderbird < 145 are vulnerable.

📋 TL;DR

This CVE describes a sandbox escape vulnerability in Firefox and Thunderbird's WebGPU component due to incorrect boundary conditions. Attackers can exploit this to break out of browser sandbox protections and execute arbitrary code on affected systems. All users running Firefox < 145 or Thunderbird < 145 are vulnerable.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Thunderbird

Versions: Firefox < 145, Thunderbird < 145

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. WebGPU must be enabled (default in affected versions).

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal sensitive data, or establish persistent access to the affected system.

🟠

Likely Case

Remote code execution leading to credential theft, data exfiltration, or ransomware deployment on vulnerable endpoints.

🟢

If Mitigated

Limited impact if proper network segmentation, endpoint protection, and least privilege principles are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious website or opening malicious email).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 145, Thunderbird 145

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-87/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to version 145. 4. Restart browser/email client.

🔧 Temporary Workarounds

Disable WebGPU

all

Temporarily disable the vulnerable WebGPU component

about:config → Set 'dom.webgpu.enabled' to false

🧯 If You Can't Patch

Block access to untrusted websites and disable email HTML rendering
Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check browser version in About Firefox/Thunderbird. If version < 145, system is vulnerable.

Check Version:

firefox --version (Linux) or check About menu (Windows/macOS)

Verify Fix Applied:

Confirm version is 145 or higher in About Firefox/Thunderbird.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from browser processes
Sandbox escape attempts in security logs

Network Indicators:

Connections to known malicious domains from browser processes

SIEM Query:

Process Creation where Parent Process Name contains 'firefox' OR Parent Process Name contains 'thunderbird' AND Command Line contains unusual parameters

📊 Metadata

CVE ID: CVE-2025-13026

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-703

EPSS Score: 0.06% exploit probability (19.7th percentile)

Published: November 11, 2025

Last Updated: November 19, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1994441 Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-87/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-90/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13026, you might also want to check these: