CVE-2026-2760

Critical

Published: 24 February 2026

Published

24 February 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0008 23.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2760 is a critical-severity Improper Handling of Physical or Environmental Conditions (CWE-1384) vulnerability in Mozilla Firefox. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-2760 by requiring timely patching of the sandbox escape flaw in Firefox and Thunderbird's WebRender component.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Identifies systems running vulnerable versions of Firefox prior to 148, ESR prior to 115.33/140.8, or Thunderbird prior to 148/140.8 through vulnerability scanning.

SI-3 Malicious Code Protection partial match

preventdetect

Provides additional protection against exploitation of the sandbox escape via malicious web content through malicious code detection and eradication mechanisms.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Sandbox escape via malicious web content enables drive-by compromise (T1189) and client execution (T1203); scope-changing sandbox bypass constitutes privilege escalation (T1068) to achieve RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Deeper analysisAI

CVE-2026-2760 is a sandbox escape vulnerability stemming from incorrect boundary conditions in the Graphics: WebRender component of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 148, Firefox ESR prior to 115.33 and 140.8, Thunderbird prior to 148, and Thunderbird prior to 140.8. The issue is cataloged under CWE-1384 with an NVD-CWE-noinfo mapping and carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.

Remote attackers can exploit this vulnerability over the network without user privileges or interaction, leveraging malicious web content to bypass the browser's sandbox isolation in the WebRender graphics rendering engine. Successful exploitation enables scope change with high impacts on confidentiality, integrity, and availability, potentially granting attackers full control over the affected browser process and leading to arbitrary code execution on the user's system.

Mozilla's security advisories (MFSA 2026-13 through 2026-16) and the associated Bugzilla entry (bug 2011062) detail the fix applied in the specified versions of Firefox and Thunderbird. Security practitioners should prioritize updating affected browsers to mitigate this risk, as no workarounds are mentioned in the provided references.

Details

CWE(s): NVD-CWE-noinfo CWE-1384

Affected Products

mozilla

firefox

≤ 115.33.0 · ≤ 148.0 · 128.0 — 140.8.0

mozilla

thunderbird

≤ 140.8.0 · ≤ 148.0

CVEs Like This One

CVE-2026-2759Same product: Mozilla Firefox

CVE-2026-2757Same product: Mozilla Firefox

CVE-2025-8028Same product: Mozilla Firefox

CVE-2026-0880Same product: Mozilla Firefox

CVE-2026-2778Same product: Mozilla Firefox

CVE-2026-0878Same product: Mozilla Firefox

CVE-2026-2761Same product: Mozilla Firefox

CVE-2026-2781Same product: Mozilla Firefox

CVE-2026-0882Same product: Mozilla Firefox

CVE-2026-2805Same product: Mozilla Firefox

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2011062
Issue Tracking, Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-13/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-14/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-15/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-16/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-17/
Vendor Advisory · security@mozilla.org