CVE-2026-8945

Vulnerability

A sandbox escape vulnerability exists in Firefox and Firefox Focus for Android. The issue is in the browser's sandbox implementation, allowing an attacker to break out of the restricted environment. The vulnerability affects both Firefox and Firefox Focus for Android prior to version 151. It was fixed in Firefox 151, released on May 19, 2026 [1].

Exploitation

An attacker would need to be able to execute code or trigger a script within the browser's sandbox. The exact exploitation details are not publicly disclosed, but the vulnerability was reported by Daisuke Hatakeyama and assigned Bug 2003171 [1][2]. It is likely exploitable via a crafted web page or by combining with other bugs to escape the sandbox.

Impact

Successful exploitation allows the attacker to escape the browser sandbox, gaining the ability to execute arbitrary code outside the sandboxed environment. This could lead to full compromise of the host system, as the sandbox is designed to prevent malicious content from accessing the underlying operating system. The impact is rated as high [1].

Mitigation

The vulnerability is fixed in Firefox 151, and users should update to this version or later. There is no workaround mentioned, and users of Firefox Focus for Android should also ensure they are using the latest version. No known exploits in the wild have been reported, and the vulnerability is not on the CISA Known Exploited Vulnerabilities (KEV) list as of the publication date [1].