Skip to main content

Thunderbird CVE-2026-2778

CRITICAL
Buffer Overflow (CWE-119)
2026-02-24 security@mozilla.org
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SUSE
8.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Apr 10, 2026 - 08:30 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 24, 2026 - 14:16 nvd
CRITICAL 10.0

DescriptionNVD

Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

AnalysisAI

Sandbox escape via DOM Core & HTML component in Firefox before 148. CVSS 10.0 — fifth sandbox escape in this release.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send malicious HTML document
Exploit
Trigger boundary condition in DOM parser
Execution
Escape sandbox environment
Impact
Execute arbitrary code with system privileges

Vulnerability AssessmentAI

Exploitation No special conditions — remote unauthenticated exploitation against default Firefox or Thunderbird installations by opening a crafted HTML document in the browser. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 10.0. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario DOM manipulation triggers boundary error that escapes the content process sandbox.
Remediation Update Firefox to 148+ immediately. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all systems running Firefox <148, Firefox ESR <115.33, <140.8, Thunderbird <148, or <140.8 through endpoint detection tools; issue security alert to all users. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-4367 HIGH POC
8.8 May 14

Arbitrary JavaScript execution in Mozilla's PDF.js library affects Firefox before 126, Firefox ESR before 115.11, and Th

CVE-2026-2796 CRITICAL POC
9.8 Feb 24

JIT miscompilation in Firefox WebAssembly before 148. The JIT compiler generates incorrect Wasm code, enabling type conf

CVE-2025-8043 CRITICAL POC
9.8 Jul 22

Firefox and Thunderbird URL truncation flaw enables spoofing attacks by displaying misleading origins in the address bar

CVE-2026-2761 CRITICAL
10.0 Feb 24

Second sandbox escape in Firefox WebRender component. CVSS 10.0 — independent path from CVE-2026-2760 to escape the cont

CVE-2026-2768 CRITICAL
10.0 Feb 24

Sandbox escape via IndexedDB in Firefox before 148 and Thunderbird. CVSS 10.0 — the Storage: IndexedDB component allows

CVE-2026-2776 CRITICAL
10.0 Feb 24

Sandbox escape via Telemetry component in Firefox external software before 148. CVSS 10.0 — fourth sandbox escape in thi

CVE-2026-2760 CRITICAL
10.0 Feb 24

Sandbox escape via boundary violation in Firefox WebRender graphics component. CVSS 10.0 — allows escaping the content s

CVE-2026-0881 CRITICAL
10.0 Jan 13

Firefox Messaging System component has a sandbox escape vulnerability. Maximum CVSS 10.0 with scope change. Affects Fire

CVE-2025-14324 CRITICAL
9.8 Dec 09

JIT compiler miscompilation in Mozilla's JavaScript engine allows remote code execution without authentication in Firefo

CVE-2025-14330 CRITICAL
9.8 Dec 09

Just-In-Time (JIT) compilation flaws in Mozilla's JavaScript engine allow unauthenticated remote attackers to achieve ar

CVE-2025-14321 CRITICAL
9.8 Dec 09

Remote code execution via use-after-free in Mozilla Firefox and Thunderbird WebRTC signaling allows unauthenticated netw

CVE-2025-14326 CRITICAL
9.8 Dec 09

Remote code execution in Mozilla Firefox and Thunderbird (pre-146) allows unauthenticated network attackers to execute a

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.61 Container suse/sl-micro/6.0/base-os-container:2.1.3-7.27 Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.52 Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.63 Container suse/sl-micro/6.0/toolbox:13.2-9.16 Image SL-Micro Affected
Image SL-Micro-BYOS-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Affected
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production Affected
Image SLES15-SP5-SAP-Azure-LI-BYOS Image SLES15-SP5-SAP-Azure-LI-BYOS-Production Image SLES15-SP5-SAP-Azure-VLI-BYOS Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production Image SLES15-SP7-SAP-Azure-LI-BYOS-Production Image SLES15-SP7-SAP-Azure-VLI-BYOS-Production Affected
SUSE Liberty Linux 8 Fixed

Share

CVE-2026-2778 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy