CVE-2025-2857CRITICAL 10.0EPSS p76.6%

CVE-2025-2857CVE-2025-2857

Description

Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The original vulnerability was being exploited in the wild. *This only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 136.0.4, Firefox ESR 128.8.1, and Firefox ESR 115.21.1.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS1.87% probability of exploitation · percentile 76.6% · 2026-06-19T12:03:05Z
Published2025-03-27
Last modified2026-04-13

Underlying weaknesses· 1

CWE-668

References

  1. https://bugzilla.mozilla.org/show_bug.cgi?id=1956398
  2. https://issues.chromium.org/issues/405143032
  3. https://www.cve.org/CVERecord?id=CVE-2025-2783
  4. https://www.mozilla.org/security/advisories/mfsa2025-19/

1

TypeTargetConfidenceTier
WeaknessExposure of Resource to Wrong Spherecwe-6680%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-8959
CVE
CVE-2026-8958
CVE
CVE-2025-1930
CVE
CVE-2026-2776
CVE
CVE-2026-2778
CVE
CVE-2025-12380
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.