CVE-2026-8945 Overview
CVE-2026-8945 is a sandbox escape vulnerability affecting Mozilla Firefox and Firefox Focus on Android. The flaw is categorized under [CWE-693] Protection Mechanism Failure, indicating that a security control intended to isolate web content from the underlying device was bypassed. Mozilla addressed the issue in Firefox 151, as documented in security advisory MFSA-2026-46.
An attacker exploiting this issue can break out of the browser content sandbox, removing a key boundary that protects the host Android environment from untrusted web content. Successful exploitation requires user interaction and high attack complexity, but yields high impact to confidentiality, integrity, and availability.
Critical Impact
A successful sandbox escape from Firefox on Android can expose data and capabilities outside the browser's isolation boundary, enabling broader compromise of the mobile device.
Affected Products
- Mozilla Firefox for Android prior to version 151
- Mozilla Firefox Focus for Android prior to version 151
- Android devices running affected Firefox builds
Discovery Timeline
- 2026-05-19 - CVE-2026-8945 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-8945
Vulnerability Analysis
The vulnerability is a sandbox escape in the Android builds of Firefox and Firefox Focus. Mozilla classifies the weakness under [CWE-693] Protection Mechanism Failure, which describes a defense that exists but does not function as intended. In a browser context, the sandbox is the isolation layer between rendered web content and the host operating system. When that layer fails, attacker-controlled content executing inside a content process can reach functionality or data outside its intended scope.
Exploitation requires a network-delivered attack and user interaction, such as visiting a crafted page. The high attack complexity indicates the attacker must satisfy specific conditions for the escape to succeed reliably. Once those conditions are met, the impact spans confidentiality, integrity, and availability on the affected device.
Root Cause
Mozilla has not published detailed root-cause technical commentary in the public advisory. The classification under [CWE-693] points to a failure in the sandbox protection mechanism for the Android platform rather than a generic memory-safety defect. Refer to Mozilla Bug Report #2003171 and the Mozilla Security Advisory MFSA-2026-46 once access restrictions are lifted for upstream technical detail.
Attack Vector
The attack vector is network-based. A user must load attacker-controlled content in Firefox or Firefox Focus on Android, for example by visiting a malicious URL, opening a link from a message, or rendering a compromised advertisement. When the crafted content executes within the content process, it triggers the sandbox escape path and crosses the isolation boundary that normally restricts web content.
No public proof-of-concept, exploit code, or CISA KEV listing exists for this CVE at publication time. The EPSS probability is low, reflecting the absence of observed exploitation activity in the wild.
Detection Methods for CVE-2026-8945
Indicators of Compromise
- No public indicators of compromise have been published by Mozilla for this CVE.
- Unexpected child processes or file writes originating from the Firefox or Firefox Focus app sandbox on Android devices.
- Outbound network connections from the browser process to infrastructure unrelated to user browsing activity.
Detection Strategies
- Inventory Android endpoints to identify Firefox and Firefox Focus installations below version 151 using mobile device management (MDM) telemetry.
- Monitor mobile threat defense logs for anomalous browser behavior such as privilege boundary violations or out-of-policy file access.
- Correlate web proxy or DNS logs with known malicious infrastructure to identify users who visited pages associated with exploit delivery.
Monitoring Recommendations
- Track installed browser versions across the managed Android fleet and alert on instances running Firefox builds older than 151.
- Forward mobile endpoint and proxy telemetry to a centralized data lake to enable retrospective hunts when new indicators are published.
- Watch the Mozilla Security Advisory MFSA-2026-46 and Mozilla Bug Report #2003171 for updated technical detail and indicators.
How to Mitigate CVE-2026-8945
Immediate Actions Required
- Update Firefox for Android and Firefox Focus for Android to version 151 or later through the Google Play Store or your MDM.
- Enforce a minimum browser version policy on managed Android devices and block launches of out-of-date builds where supported.
- Communicate the issue to users and instruct them to avoid following untrusted links until devices are patched.
Patch Information
Mozilla fixed CVE-2026-8945 in Firefox 151. Apply the update on all Android devices that run Firefox or Firefox Focus. Details are available in Mozilla Security Advisory MFSA-2026-46 and the tracking record at Mozilla Bug Report #2003171.
Workarounds
- Restrict use of Firefox and Firefox Focus on Android until devices are upgraded to version 151 or later.
- Use enterprise browser policies or MDM controls to block navigation to untrusted external sites on unpatched devices.
- Enable Android Play Protect and ensure automatic application updates are active to accelerate patch deployment.
# Verify installed Firefox package version on a managed Android device via adb
adb shell dumpsys package org.mozilla.firefox | grep versionName
adb shell dumpsys package org.mozilla.focus | grep versionName
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
