CVE-2026-12297

Vulnerability

CVE-2026-12297 is a sandbox escape vulnerability in the Networking component of Mozilla Firefox. The issue stems from incorrect boundary conditions, which can be exploited to break out of the browser's sandbox. This vulnerability affects Firefox versions prior to 152, Firefox ESR versions prior to 140.12, and Firefox ESR versions prior to 115.37 [1][2][3].

Exploitation

An attacker can trigger the incorrect boundary conditions by sending specially crafted network data to the affected browser. No authentication or special privileges are required; the attacker only needs to convince the user to visit a malicious website or interact with crafted content. The exact sequence of steps is not publicly disclosed, but the vulnerability is exploitable remotely [1].

Impact

Successful exploitation allows an attacker to escape the browser's sandbox, gaining the ability to execute arbitrary code on the underlying operating system with the privileges of the user running the browser. This can lead to full compromise of the user's system, including data theft, installation of malware, or further lateral movement [1].

Mitigation

Mozilla has fixed this vulnerability in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37, all released on June 16, 2026 [1][2][3]. Users should update their browsers to these versions or later. No workarounds are available for unpatched versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.