Firefox 152 Patches 40 Vulnerabilities Including RCE and Sandbox Escapes

Mozilla shipped Firefox 152 on June 16, addressing 40 security vulnerabilities across the browser's rendering engine, networking stack, and sandboxing components. Ten of these carry high severity ratings, including multiple use-after-free bugs and sandbox escapes that could let attackers run code outside browser protections.

Users still running Firefox 151 or earlier should update immediately. The same fixes apply to Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 152.

High-Severity Vulnerabilities

The most concerning flaws enable attackers to break out of Firefox's security sandbox or execute arbitrary code through malicious web content.

CVE-2026-12291 is a use-after-free vulnerability in the HTTP networking component. Attackers can exploit freed memory regions to achieve code execution when victims visit malicious sites. Researcher Zijie Zhao reported the bug.

CVE-2026-12293 affects the WebGPU graphics component with a similar memory mismanagement issue. As GPU-accelerated web applications become more common, flaws in WebGPU become increasingly attractive attack surfaces.

CVE-2026-12289 enables privilege escalation through the WebRender component, potentially allowing low-privileged attackers to gain elevated system access. Security researcher choeseyeong discovered this flaw.

Four separate sandbox escape vulnerabilities made the list:

• CVE-2026-12294 in DOM Workers
• CVE-2026-12295 in DOM Navigation
• CVE-2026-12296 in Process Sandboxing
• CVE-2026-12297 due to incorrect boundary conditions

CVE-2026-12299 involves JIT miscompilation in DOM handling, where the JavaScript engine generates incorrect machine code that attackers can exploit.

Moderate and Low Severity Issues

Beyond the critical fixes, Mozilla patched 15 moderate-severity bugs including memory safety issues, mitigation bypasses, and information disclosure flaws. CVE-2026-12304 addresses a same-origin policy bypass affecting cookie handling—the kind of bug that enables session hijacking across domains.

Eleven low-severity vulnerabilities round out the release, covering denial-of-service conditions, clickjacking vectors, and UI spoofing issues.

Three Memory Safety Rollups

CVEs 12326 through 12328 address grouped memory safety bugs that Mozilla's fuzzing infrastructure discovered. These memory safety bugs showed evidence of memory corruption, and Mozilla notes that "with enough effort, some of these could have been exploited to run arbitrary code."

Update Now

Firefox auto-updates for most users, but enterprise deployments often lag behind. Given the sandbox escape count in this release, waiting isn't advisable.

The Chrome team has been busy too—browser vulnerabilities remain a priority target for both criminals and nation-state actors. Every week without patching extends the window for drive-by exploitation.

Check your Firefox version via Help > About Firefox. If you're not on 152 (or ESR 140.12/115.37), update immediately.

Why This Matters

Browsers handle untrusted content constantly. Every website you visit runs code in your browser, and the sandbox is the only thing preventing that code from touching your system. Four sandbox escapes in a single release is notable—it suggests researchers (and likely attackers) are investing heavily in breaking browser isolation.

For organizations managing browser fleets, this release warrants expedited deployment. The combination of RCE and sandbox escape in a single exploit chain would give attackers direct access to endpoint systems through nothing more than a malicious link.