Integer overflow in Mozilla Firefox
CVE-2026-0880
Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
Vulnerability class: Integer Overflow
EPSS: 0.006 (42.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
Affected products
- Mozilla Firefox — versions 115.32, 140.7, 147
- Mozilla Thunderbird — versions 140.7, 147
Weakness classification (CWE)
References
- security@mozilla.org (Permissions Required)
- security@mozilla.org (Vendor Advisory)
- security@mozilla.org (Vendor Advisory)
- security@mozilla.org (Vendor Advisory)
- security@mozilla.org (Vendor Advisory)
- security@mozilla.org (Vendor Advisory)
- 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
- 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
- 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
- 0b0ca135-0b70-47e7-9f44-1890c2a1c46c
Frequently asked questions
- What is CVE-2026-0880?
- CVE-2026-0880 is a high-severity vulnerability in Mozilla Firefox, classified under Integer Overflow or Wraparound. CVSS score: 8.8/10. Published 2026-01-13.
- How severe is CVE-2026-0880?
- High severity. CVSS v3 base score is 8.8 out of 10.