Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
https://www.mozilla.org/security/advisories/mfsa2026-05/
https://www.mozilla.org/security/advisories/mfsa2026-04/
https://www.mozilla.org/security/advisories/mfsa2026-03/
https://www.mozilla.org/security/advisories/mfsa2026-02/
https://www.mozilla.org/security/advisories/mfsa2026-01/
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-0880.json
https://bugzilla.redhat.com/show_bug.cgi?id=2428975
https://bugzilla.mozilla.org/show_bug.cgi?id=2005014
https://access.redhat.com/security/cve/CVE-2026-0880
https://access.redhat.com/errata/RHSA-2026:2286
https://access.redhat.com/errata/RHSA-2026:2271
https://access.redhat.com/errata/RHSA-2026:2231
https://access.redhat.com/errata/RHSA-2026:2220
https://access.redhat.com/errata/RHSA-2026:2074
https://access.redhat.com/errata/RHSA-2026:2073
https://access.redhat.com/errata/RHSA-2026:2070
https://access.redhat.com/errata/RHSA-2026:2069
https://access.redhat.com/errata/RHSA-2026:2047
https://access.redhat.com/errata/RHSA-2026:2044
https://access.redhat.com/errata/RHSA-2026:2043
https://access.redhat.com/errata/RHSA-2026:2041
https://access.redhat.com/errata/RHSA-2026:1487
https://access.redhat.com/errata/RHSA-2026:1471
https://access.redhat.com/errata/RHSA-2026:1462
https://access.redhat.com/errata/RHSA-2026:1461
https://access.redhat.com/errata/RHSA-2026:1415
https://access.redhat.com/errata/RHSA-2026:1414
https://access.redhat.com/errata/RHSA-2026:1413
https://access.redhat.com/errata/RHSA-2026:1320
https://access.redhat.com/errata/RHSA-2026:0924