2026-07-17 · view entry permalink →
Firefox 152.0.6 — chained WebAssembly memory-safety and DOM-navigation site-isolation flaws with public exploit code (CVE-2026-15718, CVE-2026-15719)
Mozilla released Firefox 152.0.6 on 2026-07-14 to fix two flaws NCSC-NL flagged on 2026-07-16 specifically because exploit code is public, which raises the likelihood of abuse (NCSC-NL, 2026-07-16). CVE-2026-15718 is an invalid-pointer memory-safety bug in the JavaScript engine's WebAssembly component; CVE-2026-15719 is a site-isolation bypass in the DOM Navigation component (Mozilla, 2026-07-14). The pairing matches the classic browser-exploit shape where a site-isolation bypass turns a memory-safety bug into cross-origin/sandbox-relevant code execution, needing only that a victim load a malicious page or a legitimate page serving a malicious ad. Severity ratings diverge across the primaries: Mozilla labels both flaws "Critical" impact, while NCSC-NL's CSAF record scores them CVSS 3.1 MEDIUM (CVE-2026-15718 base 4.3, CVE-2026-15719 base 5.4) — the individual base scores are moderate, and the operational concern is the chained code-execution potential plus the public exploit code, not a high CVSS. Crucially, Mozilla's own advisory text for both CVEs is explicit: "we are aware that exploit code for this is public however we are not aware of any attacks in the wild abusing this flaw" — so the accurate status is public PoC, not confirmed exploitation, and the "zero-day exploited in attacks" framing carried by at least one vulnerability-scanner blog overstates the primary source.
We are aware that exploit code for this is public however we are not aware of any attacks in the wild abusing this flaw.
Mozilla geeft aan dat exploitcode voor de kwetsbaarheden publiek beschikbaar is. Dit vergroot de kans op misbruik.