ctipilot.ch
← Back to the live brief
NOTABLECVE-2026-15718 +1NATOA2vulnerability

Firefox 152.0.6 — chained WebAssembly memory-safety and DOM-navigation site-isolation flaws with public exploit code (CVE-2026-15718, CVE-2026-15719)

discovered 2026-07-17 04:35 UTCrun 2026-07-17T0409Z-intel2 sourcesmulti-source

Mozilla released Firefox 152.0.6 on 2026-07-14 to fix two flaws NCSC-NL flagged on 2026-07-16 specifically because exploit code is public, which raises the likelihood of abuse (NCSC-NL, 2026-07-16). CVE-2026-15718 is an invalid-pointer memory-safety bug in the JavaScript engine's WebAssembly component; CVE-2026-15719 is a site-isolation bypass in the DOM Navigation component (Mozilla, 2026-07-14). The pairing matches the classic browser-exploit shape where a site-isolation bypass turns a memory-safety bug into cross-origin/sandbox-relevant code execution, needing only that a victim load a malicious page or a legitimate page serving a malicious ad. Severity ratings diverge across the primaries: Mozilla labels both flaws "Critical" impact, while NCSC-NL's CSAF record scores them CVSS 3.1 MEDIUM (CVE-2026-15718 base 4.3, CVE-2026-15719 base 5.4) — the individual base scores are moderate, and the operational concern is the chained code-execution potential plus the public exploit code, not a high CVSS. Crucially, Mozilla's own advisory text for both CVEs is explicit: "we are aware that exploit code for this is public however we are not aware of any attacks in the wild abusing this flaw" — so the accurate status is public PoC, not confirmed exploitation, and the "zero-day exploited in attacks" framing carried by at least one vulnerability-scanner blog overstates the primary source.

We are aware that exploit code for this is public however we are not aware of any attacks in the wild abusing this flaw.

Mozilla Foundation Security Advisory mfsa2026-67

Mozilla geeft aan dat exploitcode voor de kwetsbaarheden publiek beschikbaar is. Dit vergroot de kans op misbruik.

NCSC-NL (NCSC-2026-0242)

Defender actions

  • Expedite the Firefox 152.0.6 update across managed and Firefox-ESR desktop fleets rather than waiting on the normal auto-update cadence — public exploit code for the CVE-2026-15718/-15719 chain raises the exploitation window now, even though no in-the-wild abuse is yet confirmed.

ATT&CK mapping

2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1189Drive-by Compromise

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:

overlap matrix · ATT&CK page ↗

Execution TA0002
T1203Exploitation for Client Execution

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.