Cyber Posture

CVE-2026-2760

Critical

Published: 24 February 2026

Published
24 February 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0008 23.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2026-2760 by requiring timely patching of the sandbox escape flaw in Firefox and Thunderbird's WebRender component.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Identifies systems running vulnerable versions of Firefox prior to 148, ESR prior to 115.33/140.8, or Thunderbird prior to 148/140.8 through vulnerability scanning.

SI-3 Malicious Code Protection partial match
preventdetect

Provides additional protection against exploitation of the sandbox escape via malicious web content through malicious code detection and eradication mechanisms.

Security SummaryAI

CVE-2026-2760 is a sandbox escape vulnerability stemming from incorrect boundary conditions in the Graphics: WebRender component of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 148, Firefox ESR prior to 115.33 and 140.8, Thunderbird prior to 148, and Thunderbird prior to 140.8. The issue is cataloged under CWE-1384 with an NVD-CWE-noinfo mapping and carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.

Remote attackers can exploit this vulnerability over the network without user privileges or interaction, leveraging malicious web content to bypass the browser's sandbox isolation in the WebRender graphics rendering engine. Successful exploitation enables scope change with high impacts on confidentiality, integrity, and availability, potentially granting attackers full control over the affected browser process and leading to arbitrary code execution on the user's system.

Mozilla's security advisories (MFSA 2026-13 through 2026-16) and the associated Bugzilla entry (bug 2011062) detail the fix applied in the specified versions of Firefox and Thunderbird. Security practitioners should prioritize updating affected browsers to mitigate this risk, as no workarounds are mentioned in the provided references.

Details

CWE(s)
NVD-CWE-noinfoCWE-1384

Affected Products

mozilla
firefox
≤ 115.33.0 · ≤ 148.0 · 128.0 — 140.8.0
mozilla
thunderbird
≤ 140.8.0 · ≤ 148.0

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
attack.mitre.org →
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Sandbox escape via malicious web content enables drive-by compromise (T1189) and client execution (T1203); scope-changing sandbox bypass constitutes privilege escalation (T1068) to achieve RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References