Login Sign Up

CVE-2026-0881

10.0 CRITICAL

📋 TL;DR

This CVE describes a sandbox escape vulnerability in the Messaging System component of Firefox and Thunderbird. Attackers can potentially execute arbitrary code outside the browser's security sandbox. All users running Firefox or Thunderbird versions below 147 are affected.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Thunderbird
Versions: All versions < 147
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. No special settings required for exploitation.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal sensitive data, or gain persistent access to the affected system.

🟠

Likely Case

Attackers could execute arbitrary code with user privileges, potentially leading to credential theft, data exfiltration, or lateral movement within networks.

🟢

If Mitigated

With proper network segmentation and endpoint protection, impact could be limited to the affected workstation only.

🌐 Internet-Facing: HIGH - Web browsers are inherently internet-facing and can be exploited through malicious websites or email content.
🏢 Internal Only: MEDIUM - Internal users could be targeted through phishing emails or compromised internal websites.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

CVSS 10.0 indicates critical severity with low attack complexity, but specific exploit details are not publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 147, Thunderbird 147

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2026-01/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to version 147. 4. Restart the application.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript to reduce attack surface while waiting for patch

about:config → javascript.enabled = false

Use alternative browser

all

Switch to updated alternative browser until Firefox/Thunderbird can be patched

🧯 If You Can't Patch

  • Network segmentation to isolate affected systems
  • Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check browser version in About Firefox/Thunderbird menu

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Confirm version is 147 or higher in About dialog

📡 Detection & Monitoring

Log Indicators:

  • Unusual process spawning from browser processes
  • Sandbox-related error messages

Network Indicators:

  • Unexpected outbound connections from browser processes

SIEM Query:

process_name:firefox.exe AND process_parent:!firefox.exe

📊 Metadata

CVE ID: CVE-2026-0881
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-284
EPSS Score: 0.08% exploit probability (23.1th percentile)
Published: January 13, 2026
Last Updated: January 22, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0881, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)