Mozilla released Firefox 151 on May 19, 2026, under advisory MFSA 2026-46, which bundles 27 vulnerabilities. The most serious set pairs a sandbox escape in the Android build with a use-after-free in the layer that connects JavaScript to the DOM, plus a flaw that breaks the same-origin policy. Several of these are rated high severity, and some can end in arbitrary code execution.
What was fixed
The standout flaw is CVE-2026-8945, a sandbox escape in Firefox and Firefox Focus for Android. The sandbox is the wall that isolates web content from the rest of the device; once it breaks, a malicious page can step outside that boundary and reach parts of the system it should never touch. It was reported by Daisuke Hatakeyama and Shota Matsuda.
CVE-2026-8947 is a use-after-free in the DOM Bindings (WebIDL) component, the piece that exposes browser APIs to JavaScript. A use-after-free happens when code keeps using a memory object that has already been freed. These bugs are often exploitable to corrupt memory and, in the worst case, run code. Satoki Tsuji found it.
The third notable bug, CVE-2026-8948, is a same-origin policy bypass in the DOM networking component. That policy stops one site from reading another site’s data; getting around it opens the door to stealing information across tabs or domains. It was reported by satyamasd.
The advisory also covers several grouped memory-safety bugs (CVE-2026-8973, CVE-2026-8974, CVE-2026-8975). Mozilla, following its usual classification, judges that some of them could lead to arbitrary code execution. The rest of the batch touches components such as audio and video codecs, networking, widgets, and web extensions, with moderate and low severities.
Who is affected and how to stay safe
Any install older than Firefox 151 is exposed. The Android fix (CVE-2026-8945) matters most for people running Firefox or Firefox Focus on mobile. On the desktop (Linux, Windows, macOS), the weight falls on the DOM use-after-free and the same-origin bypass, both exploitable by simply visiting a crafted page.
The versions that fix these issues are:
- Firefox 151
- Firefox ESR 140.11
- Firefox ESR 115.36
If you run an ESR branch in a corporate setting, move to 140.11 or 115.36 depending on your channel. On Linux distributions the package usually lands in the official repository shortly after; on Debian and Ubuntu check that your firefox-esr or firefox is on the patched version. Mozilla enables automatic updates by default, but it is worth forcing the check from the help menu and restarting the browser so the change takes effect.
There is no public record of active exploitation as of the advisory, but memory bugs in browsers have a long history of turning into real exploits, so there is no reason to put off the update.