Firefox Rushes Out Fix After Attack Code for Two Critical Bugs Appears Online

Mozilla says working exploit code is already public for two serious flaws in its browser. Users should update now.

ThreatVectr Newsdesk· 3 min read
Full-frame photoreal editorial shot of a modern laptop on a dark desk, screen glowing with an abstract orange and blue browser update notification, soft depth o
Share

Key points

  • Mozilla patched two critical Firefox flaws, CVE-2026-15718 and CVE-2026-15719, after working attack code appeared in public.
  • The first bug sits in the browser's WebAssembly engine, the second breaks the safety wall that keeps websites isolated from each other.
  • Mozilla says it has not yet seen the flaws used against real users, but the public exploit code raises the risk sharply.
  • Firefox users on desktop should update immediately through the browser's built-in updater.

Mozilla has pushed out an emergency update for Firefox after admitting that ready-made attack code for two critical flaws in the browser is already circulating online.

The fix landed this week. Mozilla's own advisory is blunt: "We are aware that exploit code for this is public."

That matters. Public exploit code means any competent attacker can copy, adapt and fire it at Firefox users without needing to discover the bugs themselves.

What exactly did Mozilla fix?

Two separate flaws, both rated critical by Mozilla.

The first is CVE-2026-15718, an invalid pointer bug inside Firefox's WebAssembly engine. WebAssembly, usually written as Wasm, is the technology that lets websites run fast, near-native code inside your browser: think in-browser video editors, games and CAD tools. An invalid pointer, in plain English, is when the program tries to use a memory address that does not point where it should. Attackers can often twist that mistake into a way to run their own code on your computer.

The second is CVE-2026-15719, a site isolation failure in the part of Firefox that handles navigation between web pages. Site isolation is the safety wall that stops one website, say a dodgy ad, from reading data belonging to another site you have open, say your bank. When that wall cracks, a malicious page can potentially snoop on tabs it should never see.

Mozilla says it is not aware of either flaw being used against real people yet. As The Hacker News noted in its roundup, that qualifier tends to age quickly once exploit code is loose.

Should ordinary Firefox users be worried?

Worried, no. Prompt, yes.

Critical browser bugs with public exploit code are the classic case where the gap between "patch released" and "attackers weaponise it at scale" is measured in days, sometimes hours. The fix is trivial to apply. The cost of ignoring it is not.

On desktop, open Firefox, click the menu, then Help, then About Firefox. The browser checks for updates and installs them itself. Restart when it asks. That is the entire job.

Mobile Firefox users should update through their app store as soon as the new version appears there.

Who is on the hook if something goes wrong?

Firefox is made by the Mozilla Foundation, a US non-profit. There is no single regulator riding shotgun on browser security the way the FTC oversees consumer data practices or the ICO oversees UK personal data. But if a compromised browser leads to a company data breach, the usual rules kick in: the FTC in the US, the ICO in the UK, and equivalents like the OAIC in Australia will expect the breached company, not Mozilla, to notify affected people.

That is the practical stakes here. A browser bug is rarely just a browser bug once it lands inside a corporate laptop.

What affected users should do

Update Firefox today, on every device you use it on. If you manage a fleet of machines, push the new version through your update tooling rather than trusting each user to click through the menu.

And if you use Firefox for anything sensitive, banking, healthcare portals, work email, treat the next week as a period to be a little more suspicious of odd links and unexpected pop-ups than usual. Public exploit code tends to end up bolted onto phishing campaigns fast.

© 2026 Threat Vectr