CVE-2025-2857

Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The original vulnerability was being exploited in the wild. *This only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 136.0.4, Firefox ESR 128.8.1, and Firefox ESR 115.21.1.

Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The original vulnerability was being exploited in the wild. *This only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 136.0.4, Firefox ESR 128.8.1, and Firefox ESR 115.21.1.

Tras la reciente fuga de la sandbox de Chrome (CVE-2025-2783), varios desarrolladores de Firefox identificaron un patrón similar en nuestro código IPC. Un proceso secundario comprometido podía provocar que el proceso principal devolviera un identificador involuntariamente potente, lo que provocaba una fuga de la sandbox. La vulnerabilidad original se estaba explotando in situ. *Esto solo afecta a Firefox en Windows. Otros sistemas operativos no se ven afectados.* Esta vulnerabilidad afecta a Firefox < 136.0.4, Firefox ESR < 128.8.1 y Firefox ESR < 115.21.1.