CVE-2026-12295

Vulnerability

A sandbox escape vulnerability exists in the DOM Navigation component of Mozilla Firefox, Firefox ESR, and Firefox ESR 115. The bug was reported by Yaqoub Aldurayhim and is fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37 [1][2][3]. The specific nature of the flaw is not publicly detailed but allows breaking out of the browser's security sandbox.

Exploitation

An attacker would need to deliver a specially crafted web page or content that triggers the flaw during navigation. The vulnerability is accessible without any special user privileges beyond normal web browsing. The exact prerequisites are not disclosed, but sandbox escapes typically require no authentication and can be triggered from within the sandboxed content.

Impact

Successful exploitation allows the attacker to escape the browser sandbox, potentially leading to arbitrary code execution on the underlying operating system at the privilege level of the browser process. This represents a high severity impact [1][2][3].

Mitigation

Mozilla released fixes in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37 on June 16, 2026. Users should update to these or later versions. As of the publication date, no workarounds are available other than applying the update.