Cyber Resilience

CVE-2026-0881

CriticalUpdated

Published: 13 January 2026

Published
13 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0037 29.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0881 is a critical-severity Improper Access Control (CWE-284) vulnerability in Mozilla Firefox. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SC-50 (Software-enforced Separation and Policy Enforcement).

Deeper analysis

CVE-2026-0881 is a sandbox escape vulnerability in the Messaging System component of Mozilla Firefox and Thunderbird. It affects versions of these browsers prior to 147, where the issue allows attackers to bypass sandbox restrictions. The vulnerability is rated critical with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-284 (Improper Access Control) and CWE-693 (Protection Mechanism Failure). It was publicly disclosed on January 13, 2026.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. Successful exploitation enables attackers to escape the sandbox, achieving high impacts on confidentiality, integrity, and availability due to the changed scope, potentially leading to full system compromise on affected systems.

Mozilla's security advisories (MFSA 2026-01 and MFSA 2026-04) confirm the vulnerability was addressed in Firefox 147 and Thunderbird 147. Additional details are available in Bugzilla entry 2005845, which outlines the fix for the sandbox escape in the Messaging System. Security practitioners should ensure users update to these patched versions immediately.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Sandbox escape in browser component directly enables client-side exploitation (T1203) followed by privilege escalation beyond process isolation boundaries (T1068) to achieve full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2768Same product: Mozilla Firefox
CVE-2026-8959Same product: Mozilla Firefox
CVE-2026-6761Same product: Mozilla Firefox
CVE-2026-8953Same product: Mozilla Firefox
CVE-2026-4692Same product: Mozilla Firefox
CVE-2026-2761Same product: Mozilla Firefox
CVE-2026-6750Same product: Mozilla Firefox
CVE-2026-2776Same product: Mozilla Firefox
CVE-2026-4689Same product: Mozilla Firefox
CVE-2026-8958Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 147.0
mozilla
thunderbird
≤ 147.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring identification, reporting, and timely patching of the sandbox escape flaw in Firefox and Thunderbird versions prior to 147.

prevent

Enforces software-based separation and policy mechanisms such as sandboxing to prevent unauthorized escape from confined execution environments in the Messaging System.

prevent

Maintains separate execution domains for processes, providing the foundational isolation that browser sandboxes rely on to block sandbox escapes.

References