CVE-2026-12297
CriticalCVSS 9.6Exploitation Probability (EPSS)
Low risk31th percentile — higher than 31% of all known CVEs
Summary
A sandbox escape vulnerability in the Networking component of Firefox and Thunderbird due to incorrect boundary conditions. Fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Risk Assessment
An attacker can exploit this flaw to break out of the browser sandbox and gain access to the underlying operating system, leading to full compromise of data confidentiality and integrity.
Recommendation
Immediately update Firefox to version 152 or later, and Thunderbird to version 152 or 140.12 depending on the ESR branch used.
Original NVD description (English source)
Sandbox escape due to incorrect boundary conditions in the Networking component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

