Mozilla warns Windows Users of critical Firefox Sandbox Escape Flaw.The vulnerability impacts the latest Firefox standard and extended support releases (ESR) designed for organizations that require extended support for mass deployments. Mozilla fixed the security flaw in Firefox 136.0.4 & Firefox ESR versions 115.21.1 + 128.8.1.
https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/#CVE-2025-2857
#mozilla #firefox #update #it #security #privacy #engineer #media #tech #news
![Mozilla has released Firefox 136.0.4 to patch a critical security vulnerability that can let attackers escape the web browser's sandbox on Windows systems. Tracked as CVE-2025-2857, this flaw is described as an "incorrect handle could lead to sandbox escapes" and was reported by Mozilla developer Andrew McCreight.
While Mozilla didn't share technical details regarding CVE-2025-2857, it said the vulnerability is similar to a Chrome zero-day exploited in attacks and patched by Google last week.
"Following the sanbdox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles into unpriviled [sic] child processes leading to a sandbox escape," Mozilla said in a advisory. "The original vulnerability was being exploited in the wild. This only affects Firefox on Windows. Other operating systems are unaffected."](https://nerdculture.de/system/media_attachments/files/114/262/693/596/163/774/original/3568705b6e1b7d76.jpeg "Mozilla has released Firefox 136.0.4 to patch a critical security vulnerability that can let attackers escape the web browser's sandbox on Windows systems. Tracked as CVE-2025-2857, this flaw is described as an \"incorrect handle could lead to sandbox escapes\" and was reported by Mozilla developer Andrew McCreight.
While Mozilla didn't share technical details regarding CVE-2025-2857, it said the vulnerability is similar to a Chrome zero-day exploited in attacks and patched by Google last week.
\"Following the sanbdox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles into unpriviled [sic] child processes leading to a sandbox escape,\" Mozilla said in a advisory. \"The original vulnerability was being exploited in the wild. This only affects Firefox on Windows. Other operating systems are unaffected.\"")
