CVE-2026-0878
Published: 13 January 2026
Summary
CVE-2026-0878 is a high-severity Improper Input Validation (CWE-20) vulnerability in Mozilla Firefox. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation through timely application of vendor patches directly eliminates the sandbox escape vulnerability in Firefox's CanvasWebGL component fixed in versions 147 and ESR 140.7.
Memory protection safeguards such as DEP, ASLR, and stack canaries prevent unauthorized code execution from buffer overflow exploits underlying CWE-119 in this CVE.
Process isolation enforces browser sandbox boundaries to contain graphics rendering flaws and limit potential system access upon sandbox escape attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape via malicious webpage enables drive-by compromise (T1189), client-side exploitation (T1203), and privilege escalation (T1068).
NVD Description
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
Deeper analysisAI
CVE-2026-0878 is a sandbox escape vulnerability stemming from incorrect boundary conditions in the Graphics: CanvasWebGL component. It affects Mozilla Firefox versions prior to 147, Firefox ESR prior to 140.7, Thunderbird prior to 147, and Thunderbird prior to 140.7. The issue is classified under CWE-20 (Improper Input Validation) and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), with a CVSS v3.1 base score of 8.0.
A remote attacker can exploit this vulnerability over the network with no privileges required, though it demands high attack complexity and user interaction, such as loading a malicious webpage. Successful exploitation changes the scope to achieve high confidentiality and integrity impacts, allowing the attacker to escape the browser sandbox and potentially access or modify sensitive data within the user's system.
Mozilla's security advisories (MFSA 2026-01, 2026-03, 2026-04, and 2026-05) and the associated Bugzilla entry detail the patch, recommending immediate updates to Firefox 147, Firefox ESR 140.7, Thunderbird 147, or Thunderbird 140.7 to mitigate the issue. No workarounds are specified in the provided references.
Details
- CWE(s)