Overview
- CVE: CVE-2026-0879, CVE-2026-0881, CVE-2026-0884, CVE-2026-0892
- Severity: Critical
- Date: 14 Jan 2026
Summary
Mozilla has released security updates to address multiple critical vulnerabilities in Firefox, including a sandbox escape with a CVSS score of 10.0. These flaws could allow attackers to execute arbitrary code or escape the sandbox environment. Immediate patching is strongly recommended.
Affected Versions
See vendor advisory for affected versions.
Vulnerability Breakdown
CVE-2026-0881 – Sandbox escape in the Messaging System component
-
- Severity: Critical
- CVSS: 10.0
- Description: A sandbox escape vulnerability exists in the Messaging System component.
- Impact: This could allow an attacker to break out of the sandbox and execute code on the underlying system.
- Conditions: Requires a compromised content process or similar foothold.
CVE-2026-0879 – Sandbox escape due to incorrect boundary conditions
-
- Severity: Critical
- CVSS: 9.8
- Description: Incorrect boundary conditions in the Graphics component can lead to a sandbox escape.
- Impact: Allows escape from the sandbox to the parent process or system.
CVE-2026-0884 – Use-after-free in the JavaScript Engine component
-
- Severity: Critical
- CVSS: 9.8
- Description: A use-after-free vulnerability in the JavaScript Engine component.
- Impact: Could result in arbitrary code execution.
Mitigation
- Update to the latest version of Mozilla Firefox immediately.
- Review the Mozilla Security Advisories for full details.
Summary for IT Teams
- Products: Mozilla Firefox
- Threat Level: Critical, CVSS 10.0
- Action Required: Patch immediately.
Reference
- Mozilla Security Advisory MFSA2026-01
- Mozilla Security Advisory MFSA2026-02
- Mozilla Security Advisory MFSA2026-03
Need Help?
If your organisation needs assistance assessing or patching your environment, the Secure ISS SOC team is ready to help. Please get in touch on 1300 769 460 or email us.
