Mozilla patches critical Firefox sandbox escape flaw on Windows
Take action: Much like the Google Chrome counterpart, this one is urgent. Since the flaw in Chrome is actively exploited, it's just a matter of time before the Firefox version will be as well. DONT WAIT! Patch all your Firefox and firefox based browsers (Waterfox, Tor) NOW. Updating a browser is easy, all your tabs reopen after the patch.
Learn More
Mozilla has released Firefox 136.0.4 to address a critical security vulnerability that could allow attackers to escape the web browser's sandbox on Windows systems.
The flaw is tracked as CVE-2025-2857 (CVSS score not available), is described as an "incorrect handle could lead to sandbox escapes".
The vulnerability affects both the standard Firefox release and the Extended Support Release (ESR) versions, which are designed for organizations requiring extended support for mass deployments. Mozilla has fixed the security flaw in Firefox 136.0.4 and Firefox ESR versions 115.21.1 and 128.8.1.
According to Mozilla's Thursday advisory, the vulnerability is similar to a Chrome zero-day exploited in attacks and patched by Google earlier this week. "Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles into unprivileged child processes leading to a sandbox escape,"
The company emphasized that "the original vulnerability was being exploited in the wild" and noted that this issue "only affects Firefox on Windows. Other operating systems are unaffected."
Users are advised to update their Firefox and Firefox based browsers immediately.
