Firefox 150.0.3 Closes Critical Security Vulnerabilities

Mozilla released an important security update for the Firefox browser on May 13, 2026. Version 150.0.3 addresses a total of five security vulnerabilities, which are classified as high-risk. This action comes in the context of a recently discovered exploit chain demonstrated by an unknown security researcher. The researcher, who goes by the pseudonym ggwhyp, developed a multi-part exploit chain that starts on an HTML page in the browser and leads to the execution of cmd.exe.

This chain ends with the invocation of the Windows calculator, which is considered a typical demo exploit. Originally, ggwhyp planned to present his discovery at the Pwn2own hacking competition in Berlin, which begins on May 14, 2026. However, Trend Micro ZDI, the organizer of the competition, rejected ggwhyp. Subsequently, the researcher decided to share the information directly with Mozilla, which is regarded as responsible disclosure.

The exploit code has not been made public to prevent potential attacks. The central vulnerability in the exploit chain is classified as CVE-2026-8401, which allows for a breakout from the browser sandbox. This discovery could pose problems for other participants in the Pwn2own competition, as they may have intended to exploit the same vulnerability. In addition to the vulnerabilities discovered by ggwhyp, the update also addresses a fifth security flaw identified as CVE-2026-8390. This involves a use-after-free vulnerability in JavaScript and was apparently discovered using an AI tool from OpenAI.

Closing these vulnerabilities is crucial to ensuring user safety. Mozilla has announced that the next version of Firefox, 151, is scheduled for release on May 19, 2026. From that date, the company plans to provide weekly security updates for the browser. This is a response to the increasing threats in the field of cybersecurity and aligns with the practices of Google, which has already implemented similar measures for Chrome.

Another bug fixed in the previous version 150.0.2 concerned the display of passwords in form fields. These were shown in plain text when printed and in print preview, instead of being masked with "****". Such security vulnerabilities can increase the risk of data leaks and were therefore promptly addressed. Mozilla recommends that users keep their browsers up to date and additionally use appropriate antivirus software to enhance the security of their systems. The combination of regular updates and additional security software can help prevent potential attacks.

The vulnerabilities addressed by the update not only affect Firefox users but can also impact the overall security of Windows systems. The discovery and remediation of such vulnerabilities is an ongoing process that is critical for the safety of all internet users. Mozilla is committed to continuously improving the security of its products and responding quickly to new threats. The release of update 150.0.3 is another step in this direction and demonstrates the company's commitment to user security. The vulnerability CVE-2026-8401 is particularly critical, as it could allow attackers to take control of systems using the Firefox browser.