Firefox 152 Flaws Allow Remote Code Multiple Vulnerabilities

Mozilla has released Firefox 152, an update designed to address multiple high-severity vulnerabilities. These flaws could potentially allow remote code execution (RCE) and sandbox escape attacks.

The security advisory, published on June 16, 2026, highlights a wide range of flaws affecting core browser components and emphasizes the urgency for users to update immediately.

Several of the patched vulnerabilities are classified as high impact, primarily involving memory safety issues, use-after-free bugs, and privilege escalation flaws.

These vulnerabilities can be exploited by attackers through specially crafted web content, potentially allowing arbitrary code execution on affected systems.

Multiple Vulnerabilities in Firefox 152

Notable high-risk vulnerabilities include:

CVE-2026-12289: A privilege escalation flaw in the WebRender component that could allow attackers to gain elevated access.

CVE-2026-12291: A use-after-free vulnerability in the HTTP networking component, leading to memory corruption.

CVE-2026-12293: A use-after-free issue in the WebGPU component that could be leveraged for code execution.

CVE-2026-12294 to CVE-2026-12297: Multiple sandbox escape vulnerabilities impacting DOM Workers, Navigation, and process sandboxing mechanisms.

CVE-2026-12299: A JIT miscompilation bug in DOM and HTML components that could result in unpredictable execution behavior.

Additionally, Mozilla reported several memory safety bugs (e.g., CVE-2026-12290, CVE-2026-12298, CVE-2026-12326, CVE-2026-12328) that demonstrated memory corruption.

Such flaws are particularly dangerous because attackers can exploit them to execute arbitrary code remotely. The presence of multiple sandbox escape vulnerabilities significantly increases the attack surface.

In a typical exploit chain, an attacker may first exploit a memory corruption flaw to gain code execution within the browser, then use a sandbox escape vulnerability to break out of the browser’s security boundaries and compromise the underlying system.

For example, combining CVE-2026-12291 (use-after-free) with CVE-2026-12294 (sandbox escape in DOM Workers) could enable a full browser-to-system compromise.

In addition to high-risk flaws, Mozilla addressed several moderate- and low-severity vulnerabilities, including a same-origin policy bypass (CVE-2026-12304) affecting cookie handling.

Information disclosure issues in WebGPU and Password Manager components multiple mitigation bypass vulnerabilities in DOM security mechanisms.

Denial-of-service (DoS) issues in media playback and graphics components. Numerous memory safety bugs across various modules.

While these issues are less severe individually, they can still be chained with other vulnerabilities to enhance attack effectiveness.

According to advisory MFSA 2026-57, Mozilla has patched these vulnerabilities in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 152, while older versions remain vulnerable.

Users and organizations should update Firefox to version 152 or later, apply the latest ESR updates, enable automatic updates, and monitor systems for signs of suspicious browser activity or exploitation attempts.

The Firefox 152 update addresses a critical set of vulnerabilities, many of which could be chained to achieve remote code execution and full system compromise.

Given the presence of active exploit primitives such as memory corruption and sandbox escapes, timely patching is essential to maintaining browser security.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.