Introduction
A buffer overflow in Firefox ESR's WebRTC Networking component allows a remote attacker to escape the browser sandbox with no privileges required, earning a CVSS score of 9.6 from CISA ADP. For organizations that rely on Firefox ESR in managed or enterprise environments, this vulnerability (CVE-2026-7321) represents a direct path from a malicious webpage to code execution outside the browser's security boundary.
Technical Information
The root cause of CVE-2026-7321 is incorrect boundary conditions within the WebRTC Networking component of Firefox ESR. The vulnerability is classified under CWE-120: Buffer Copy without Checking Size of Input, commonly known as a Classic Buffer Overflow. The WebRTC networking code fails to properly validate the size of input data before copying it into a fixed size buffer, allowing an attacker to write beyond the allocated memory region.
CVSS Vector Breakdown
The CVSS 3.1 vector string assigned by CISA ADP is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. This tells us several important things about the attack surface:
- Attack Vector: Network. Exploitation occurs remotely, likely through a malicious webpage or WebRTC session.
- Attack Complexity: Low. No special conditions or race windows are needed.
- Privileges Required: None. The attacker does not need any authentication.
- User Interaction: Required. A victim must visit a malicious page or otherwise engage with attacker controlled content.
- Scope: Changed. This is the critical detail. A "Changed" scope means the vulnerability impacts resources beyond the vulnerable component's security authority. The buffer overflow in WebRTC networking code allows the attacker to break out of the browser sandbox entirely, gaining access to the underlying operating system or other processes.
The resulting impact ratings are High across all three pillars: Confidentiality, Integrity, and Availability.
Severity Discrepancy
There is a notable disagreement in severity assessment. The NVD, using CISA ADP data, rates this as CRITICAL with a 9.6 score. Mozilla's own advisory (MFSA 2026-36), however, classifies the impact as moderate. This kind of divergence is not unusual; vendors sometimes rate based on practical exploitability or internal threat modeling, while NVD scoring follows a more formulaic approach tied to the CVSS vector. For defensive planning, we recommend treating the higher rating seriously given the sandbox escape capability.
Attack Flow
Based on the CVSS vector and vulnerability characteristics, the expected exploitation flow would proceed as follows:
- An attacker crafts a malicious webpage or WebRTC session that triggers the buffer overflow in the WebRTC Networking component.
- A victim using a vulnerable version of Firefox ESR navigates to the attacker controlled content or is redirected to it.
- The malicious input exceeds the expected buffer size in the WebRTC networking code, overwriting adjacent memory.
- The attacker leverages the memory corruption to achieve code execution within the browser's content process.
- Because the scope is "Changed," the attacker uses this foothold to escape the browser sandbox, gaining access to the host operating system with the privileges of the browser process.
The vulnerability was reported by a security researcher identified as Bugmon. The associated Bugzilla ticket (bug 2029461) is access restricted, so no crash logs, stack traces, or additional technical details are publicly available.
Affected Systems and Versions
| Product | Status | Version |
|---|---|---|
| Mozilla Firefox ESR | Vulnerable | All versions prior to 140.10.1 |
| Mozilla Firefox ESR | Fixed | 140.10.1 and later |
Administrators should verify their software inventory to ensure no instances of vulnerable Firefox ESR versions remain active in their environments.
Vendor Security History
Mozilla maintains a mature and active security posture. The organization operates a dedicated Bug Bounty Program through HackerOne to encourage independent security research and responsible disclosure. Mozilla consistently publishes Foundation Security Advisories to transparently communicate vulnerabilities and deliver timely patches. Firefox ESR, as a product line, is specifically designed for organizations that need extended support cycles, making prompt patching of critical vulnerabilities especially important for its user base. As of March 2026, Firefox holds approximately 2.33 percent of the global desktop browser market; while modest in overall share, its concentration in enterprise and managed deployments amplifies the relevance of vulnerabilities like CVE-2026-7321.
