Mozilla Patches Critical Firefox 152 Vulnerabilities Allowing Remote Code Execution and Sandbox Escape
Mozilla released Firefox 152 patching multiple high-severity bugs, including use-after-free flaws and sandbox escapes that attackers can chain for full system compromise.
Mozilla released Firefox 152 on June 16, 2026, addressing more than ten high-severity vulnerabilities that could allow remote code execution (RCE) and sandbox escape. The update spans Firefox, Firefox ESR, and Thunderbird, and is considered critical due to the potential for chaining bugs to achieve full system compromise.
Among the most dangerous vulnerabilities are use-after-free flaws in HTTP networking (CVE-2026-12291) and WebGPU (CVE-2026-12293), as well as a privilege escalation bug in the WebRender component (CVE-2026-12289). These memory corruption bugs, when exploited through crafted web content, allow attackers to execute arbitrary code within the browser process.
Critically, Mozilla also patched multiple sandbox escape vulnerabilities (CVE-2026-12294 through CVE-2026-12297) affecting DOM Workers, Navigation, and process sandboxing mechanisms. The typical attack chain involves first exploiting a memory safety bug to gain code execution inside the sandbox, then using a sandbox escape to break out to the underlying operating system. For example, combining CVE-2026-12291 with CVE-2026-12294 could enable a full browser-to-system compromise.
In addition to these high-severity flaws, Mozilla fixed a JIT miscompilation bug (CVE-2026-12299) in DOM and HTML components that could lead to unpredictable execution, several memory safety bugs (CVE-2026-12290, CVE-2026-12298, CVE-2026-12326, CVE-2026-12328), and a same-origin policy bypass (CVE-2026-12304) affecting cookie handling. Lower-severity issues include information disclosure in WebGPU and Password Manager, mitigation bypasses, and denial-of-service flaws in media playback and graphics components.
Mozilla’s advisory (MFSA 2026-57) confirms that the patches apply to Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 152. Users and organizations are urged to update immediately, enable automatic updates, and monitor for suspicious browser activity or exploitation attempts.
“Multiple high-severity vulnerabilities fixed in the latest Firefox update,” stated Mozilla in its security advisory. “Given the presence of active exploit primitives such as memory corruption and sandbox escapes, timely patching is essential to maintaining browser security.” The Firefox 152 release follows a broader wave of browser security updates, including a combined Chrome and Firefox patch batch earlier in June that fixed over 70 security issues.