Firefox sandbox escape leaks all user data (CVE-2026-7321)

Patch now - CVE-2026-7321 is a critical sandbox escape in Firefox (prior to 150), Thunderbird (prior to 150), and Firefox ESR (prior to 140.10.1) that lets attackers bypass the browser’s security boundary and read all user data, including passwords and cookies. Exploitation requires a single user click on a malicious link or page.

Overview

CVE-2026-7321 is a sandbox escape vulnerability in the WebRTC: Networking component of Mozilla’s browser and email suites. The flaw arises from incorrect boundary condition checks, allowing a compromised or malicious WebRTC process to break out of its restricted sandbox and interact with the host operating system with the user’s privileges.

An attacker who successfully triggers this vulnerability after gaining initial code execution within the browser’s content process can escalate that access to read, modify, or exfiltrate sensitive user data stored on the local system. The CVSS 9.6 score reflects the low complexity of the attack and the requirement for user interaction (a single click). The vulnerability is not known to be actively exploited at the time of publication.

Impact

A successful exploit bypasses the core security isolation that sandboxes provide. Instead of being limited to browser memory and APIs, the attacker gains the ability to:

• Read arbitrary files from the user’s filesystem, including browser-stored passwords, cookies, and local configuration.
• Inject code into other processes running under the same user account.
• Persist on the system without relying on browser-resident malware that could be cleared by restarting the browser.

Any organization relying on Firefox or Thunderbird for sensitive workflows should treat this vulnerability with high urgency.

Remediation

Mozilla has released fixed versions for all three products. Apply updates through the standard update channel or download the latest builds from mozilla.org.

Affected and Fixed Versions

• Firefox: < 150. Fixed in 150.
• Thunderbird: < 150. Fixed in 150.
• Firefox ESR: < 140.10.1. Fixed in 140.10.1.

Mitigation (if patching is delayed)

If immediate patching is not possible, restrict the execution of untrusted WebRTC content by disabling automatic media playback and enforcing strict content security policies. Users should avoid clicking on links or opening attachments from untrusted sources. However, these measures are partial and patching remains the only complete fix.

Security Insight

This vulnerability highlights a recurring pattern in browser security: WebRTC implementations continue to be a fertile ground for sandbox escape bugs. The WebRTC stack’s complexity and direct access to network and media hardware make it difficult to isolate securely. Mozilla’s rapid patch cycle here is commendable, but the incident underscores that sandbox boundaries are only as strong as the interfaces crossing them. For defense teams, this suggests prioritizing browser updates within 48 hours of critical advisories, particularly when the vulnerability targets a cross-platform component like WebRTC.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs