CVE-2026-0880 — Integer Overflow or Wraparound in Mozilla Firefox

CWE-190 — Integer Overflow or Wraparound13 documents9 sources

Severity

8.8HIGHNVD

EPSS

0.0%

top 94.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Mozilla Firefox

Timeline

PublishedJan 13

Latest updateFeb 2

Description

Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDmozilla/firefox128.0 — 140.7.0+2

▶NVDmozilla/thunderbird< 140.7.0+1

▶Debianmozilla/thunderbird< 1:140.7.0esr-1~deb11u1+3

🔴Vulnerability Details

CVEList

Sandbox escape due to integer overflow in the Graphics component↗2026-01-13

▶

OSV

CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component↗2026-01-13

▶

GHSA

GHSA-jvj8-3g49-f23w: Sandbox escape due to integer overflow in the Graphics component↗2026-01-13

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2026-02-02

▶

Red Hat

firefox: thunderbird: Sandbox escape due to integer overflow in the Graphics component↗2026-01-13

▶

Debian

CVE-2026-0880: firefox - Sandbox escape due to integer overflow in the Graphics component. This vulnerabi...↗2026

▶

Mozilla

Mozilla Foundation Security Advisory 2026-02: CVE-2026-0880↗

▶

Mozilla

Mozilla Foundation Security Advisory 2026-04: CVE-2026-0880↗

▶

🕵️Threat Intelligence

Wiz

CVE-2026-0880 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶