
Mozilla fixes two critical Firefox flaws after public exploit code appears
Mozilla's Firefox 152.0.6 fixes two critical flaws after public exploit code appeared, though no in-the-wild attacks are known.
Mozilla has shipped Firefox 152.0.6 to close two critical browser flaws after warning that public exploit code exists for both issues. The company says it is not aware of attacks in the wild, but the advisory makes the update more urgent than a routine maintenance release because working exploit material can shorten the time between disclosure and attempted abuse.
The July 14 advisory lists CVE-2026-15718 as an invalid pointer issue in Firefox's JavaScript: WebAssembly component. It also lists CVE-2026-15719 as a site isolation problem in the DOM Navigation component. Mozilla rated both vulnerabilities critical, its highest impact category, and says the fix is included in Firefox 152.0.6.
Why browser teams move quickly on these bugs
Browser vulnerabilities are especially sensitive because the browser sits between users and untrusted web content all day. A flaw in the JavaScript, WebAssembly, or navigation stack can become valuable to attackers if it can be combined with a malicious page, a compromised site, or another weakness that helps escape a browser security boundary. Mozilla's advisory does not claim that either flaw has been used in real-world attacks, and it does not provide exploit details, but the public-code note is enough to make rapid patching the practical response.
The affected product named by Mozilla is Firefox, and the fixed version is Firefox 152.0.6. Users on managed systems should expect administrators to test and deploy the release quickly, while individual users can check the browser's about dialog or package manager to confirm that the update has landed. The advisory does not list Firefox ESR or Thunderbird in this specific notice, so organizations should track their own Mozilla product channels separately rather than assuming every channel changed at the same time.
What to watch next
The most important operational detail is that Mozilla distinguishes public exploit code from observed exploitation. That means defenders do not yet have confirmation of active abuse from the advisory itself, but the risk profile has still changed. Public exploit material can be studied by security researchers, but it can also be adapted by opportunistic attackers. For teams that rely on browser hardening, the release is a reminder to keep auto-update telemetry, endpoint inventory, and exception lists current enough to verify that emergency browser patches are actually installed.
Mozilla credited Christian Holler for reporting the WebAssembly invalid pointer issue and Atsushi Sada for reporting the DOM Navigation site isolation issue. The company linked each CVE to its corresponding Bugzilla entry, but kept the public advisory concise. That restraint is typical for browser security fixes where too much early technical detail could help attackers before users have had time to update.
Sources
Cover photo by Markus Spiske on Pexels, used under the Pexels License.
CyberOGZ Team






Comments (0)
Leave a Comment