VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 16, 2026· Updated Jun 16, 2026

CVE-2026-12294

CVE-2026-12294

Description

A sandbox escape vulnerability in Firefox's DOM Workers component allows a compromised Web Worker to break out of its sandbox and execute arbitrary code on the host system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A sandbox escape vulnerability in Firefox's DOM Workers component allows a compromised Web Worker to break out of its sandbox and execute arbitrary code on the host system.

Vulnerability

CVE-2026-12294 is a sandbox escape vulnerability in the DOM: Workers component of Firefox. It allows a Web Worker to break out of its sandbox restrictions. The vulnerability affects Firefox versions prior to 152, Firefox ESR versions prior to 140.12, and Firefox ESR versions prior to 115.37 [1][2][3].

Exploitation

An attacker would first need to execute or inject a malicious Web Worker script into a target browser session. This could be achieved by convincing a user to visit a specially crafted website or by compromising a legitimate site to serve malicious worker code. The malicious worker then exploits the flaw to escape the intended sandbox boundaries [1].

Impact

Successful exploitation results in a sandbox escape, allowing the attacker's code to run with the privileges of the host Firefox process. This can lead to arbitrary code execution on the user's system, bypassing the security boundaries intended for Web Workers [1][2][3].

Mitigation

The vulnerability is fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37, all released on June 16, 2026 [1][2][3]. Users should update to these versions or later. No workarounds are available.

References
  1. Security Vulnerabilities fixed in Firefox 152
  2. Security Vulnerabilities fixed in Firefox ESR 140.12
  3. Security Vulnerabilities fixed in Firefox ESR 115.37

AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

6

News mentions

0

No linked articles in our index yet.