CVE-2026-2768

Critical

Published: 24 February 2026

Published

24 February 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0010 27.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Sandbox escape in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of the IndexedDB sandbox escape flaw via patching to Firefox 148, ESR 140.8, or Thunderbird equivalents.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Supports scanning to detect systems with vulnerable Firefox or Thunderbird versions prior to the fixed releases, enabling targeted remediation.

SI-5 Security Alerts, Advisories, and Directives partial match

prevent

Mandates receiving and acting on Mozilla MFSA advisories (2026-13, 15, 16, 17) to promptly patch this sandbox escape vulnerability.

Security SummaryAI

CVE-2026-2768 is a sandbox escape vulnerability in the Storage: IndexedDB component of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 148, Firefox ESR prior to 140.8, Thunderbird prior to 148, and Thunderbird prior to 140.8. The issue carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-284 (Improper Access Control) and CWE-693 (Protection Mechanism Failure).

The vulnerability can be exploited remotely over the network by any unauthenticated attacker with low complexity and no user interaction required. Successful exploitation changes the scope to achieve high impacts on confidentiality, integrity, and availability, allowing an attacker to escape the browser sandbox and potentially execute arbitrary code or access sensitive data outside the intended isolation.

Mozilla's security advisories (MFSA 2026-13, 15, 16, and 17) and the associated Bugzilla entry (bug 2014101) confirm the vulnerability was addressed in the specified fixed releases. Security practitioners should prioritize updating affected Firefox and Thunderbird installations to versions 148 or Firefox ESR/Thunderbird 140.8 or later to mitigate the risk.

Details

CWE(s): NVD-CWE-noinfo CWE-284 CWE-693

Affected Products

mozilla

firefox

≤ 140.8.0 · ≤ 148.0

mozilla

thunderbird

≤ 140.8.0 · ≤ 148.0

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Sandbox escape in client browser/email app with remote unauthenticated RCE and scope change directly enables T1203 (Exploitation for Client Execution) and T1068 (Exploitation for Privilege Escalation) to break isolation and run code outside sandbox.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2014101
Issue Tracking, Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-13/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-15/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-16/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-17/
Vendor Advisory · security@mozilla.org