CVE-2026-0881
Published: 13 January 2026
Summary
CVE-2026-0881 is a critical-severity Improper Access Control (CWE-284) vulnerability in Mozilla Firefox. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SC-50 (Software-enforced Separation and Policy Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring identification, reporting, and timely patching of the sandbox escape flaw in Firefox and Thunderbird versions prior to 147.
Enforces software-based separation and policy mechanisms such as sandboxing to prevent unauthorized escape from confined execution environments in the Messaging System.
Maintains separate execution domains for processes, providing the foundational isolation that browser sandboxes rely on to block sandbox escapes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape in browser component directly enables client-side exploitation (T1203) followed by privilege escalation beyond process isolation boundaries (T1068) to achieve full system compromise.
NVD Description
Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.
Deeper analysisAI
CVE-2026-0881 is a sandbox escape vulnerability in the Messaging System component of Mozilla Firefox and Thunderbird. It affects versions of these browsers prior to 147, where the issue allows attackers to bypass sandbox restrictions. The vulnerability is rated critical with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-284 (Improper Access Control) and CWE-693 (Protection Mechanism Failure). It was publicly disclosed on January 13, 2026.
Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. Successful exploitation enables attackers to escape the sandbox, achieving high impacts on confidentiality, integrity, and availability due to the changed scope, potentially leading to full system compromise on affected systems.
Mozilla's security advisories (MFSA 2026-01 and MFSA 2026-04) confirm the vulnerability was addressed in Firefox 147 and Thunderbird 147. Additional details are available in Bugzilla entry 2005845, which outlines the fix for the sandbox escape in the Messaging System. Security practitioners should ensure users update to these patched versions immediately.
Details
- CWE(s)