Cyber Resilience

CVE-2026-2760

CriticalUpdated

Published: 24 February 2026

Published
24 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0040 31.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2760 is a critical-severity Improper Handling of Physical or Environmental Conditions (CWE-1384) vulnerability in Mozilla Firefox. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2760 is a sandbox escape vulnerability stemming from incorrect boundary conditions in the Graphics: WebRender component of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 148, Firefox ESR prior to 115.33 and 140.8, Thunderbird prior to 148, and Thunderbird prior to 140.8. The issue is cataloged under CWE-1384 with an NVD-CWE-noinfo mapping and carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.

Remote attackers can exploit this vulnerability over the network without user privileges or interaction, leveraging malicious web content to bypass the browser's sandbox isolation in the WebRender graphics rendering engine. Successful exploitation enables scope change with high impacts on confidentiality, integrity, and availability, potentially granting attackers full control over the affected browser process and leading to arbitrary code execution on the user's system.

Mozilla's security advisories (MFSA 2026-13 through 2026-16) and the associated Bugzilla entry (bug 2011062) detail the fix applied in the specified versions of Firefox and Thunderbird. Security practitioners should prioritize updating affected browsers to mitigate this risk, as no workarounds are mentioned in the provided references.

EU & UK References

Vulnerability details

Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Sandbox escape via malicious web content enables drive-by compromise (T1189) and client execution (T1203); scope-changing sandbox bypass constitutes privilege escalation (T1068) to achieve RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2759Same product: Mozilla Firefox
CVE-2026-2757Same product: Mozilla Firefox
CVE-2026-0878Same product: Mozilla Firefox
CVE-2026-2778Same product: Mozilla Firefox
CVE-2026-0880Same product: Mozilla Firefox
CVE-2025-8028Same product: Mozilla Firefox
CVE-2026-2761Same product: Mozilla Firefox
CVE-2026-6750Same product: Mozilla Firefox
CVE-2025-8027Same product: Mozilla Firefox
CVE-2026-4721Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 115.33.0 · ≤ 148.0 · 128.0 — 140.8.0
mozilla
thunderbird
≤ 140.8.0 · ≤ 148.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-2760 by requiring timely patching of the sandbox escape flaw in Firefox and Thunderbird's WebRender component.

detect

Identifies systems running vulnerable versions of Firefox prior to 148, ESR prior to 115.33/140.8, or Thunderbird prior to 148/140.8 through vulnerability scanning.

preventdetect

Provides additional protection against exploitation of the sandbox escape via malicious web content through malicious code detection and eradication mechanisms.

References