CVE-2026-7321

Critical

Published: 28 April 2026

Published

28 April 2026

Modified

01 May 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0004 13.8th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Thunderbird 140.10.1.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires identification, reporting, and correction of flaws like the buffer copy without bounds check in the WebRTC networking component via timely patching.

CM-7 Least Functionality good match

prevent

Prohibits or restricts unnecessary functions such as WebRTC to eliminate exposure to the vulnerable networking component.

SI-16 Memory Protection partial match

prevent

Implements memory safeguards that protect against unauthorized code execution stemming from the boundary condition error in WebRTC.

Security SummaryAI

CVE-2026-7321 is a sandbox escape vulnerability stemming from incorrect boundary conditions, classified under CWE-120 (Buffer Copy without Bounds Check), in the WebRTC Networking component. It affects Mozilla Firefox, Thunderbird, Firefox ESR, and Thunderbird ESR prior to their respective fixed versions: Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Thunderbird ESR 140.10.1. The vulnerability carries a CVSS v3.1 base score of 9.6, reflecting its critical severity due to network accessibility, low attack complexity, and high potential impact.

An attacker can exploit this vulnerability remotely over the network without privileges by tricking a user into interacting with malicious content, such as visiting a specially crafted webpage that triggers the WebRTC Networking flaw. Successful exploitation changes the scope from the sandboxed context to the broader system, granting high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution, data theft, or full system compromise on the targeted machine.

Mozilla's security advisories (MFSA 2026-30, 2026-33, 2026-36, and 2026-39) and the associated Bugzilla entry (bug 2029461) confirm the issue was addressed in the specified versions. Security practitioners should prioritize updating affected browsers and email clients to the patched releases, disable WebRTC if not required, and educate users on avoiding suspicious links or media streams.

Details

CWE(s): CWE-120

Affected Products

mozilla

firefox

≤ 140.10.1 · ≤ 150.0

mozilla

thunderbird

≤ 140.10.1 · ≤ 150.0

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The CVE describes a browser sandbox escape via buffer overflow in WebRTC, triggered by visiting a malicious webpage, directly enabling Drive-by Compromise (T1189) for initial access and Exploitation for Client Execution (T1203) to achieve arbitrary code execution outside the sandbox.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2029461
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-30/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-33/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-36/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-39/
Vendor Advisory · security@mozilla.org