Mozilla has released Firefox 136.0.4 to patch a critical security vulnerability that can let attackers escape the web browser’s sandbox on Windows systems.

Tracked as CVE-2025–2857, this flaw is described as an “incorrect handle could lead to sandbox escapes” and was reported by Mozilla developer Andrew McCreight.

The vulnerability impacts the latest Firefox standard and extended support releases (ESR) designed for organizations that require extended support for mass deployments. Mozilla fixed the security flaw in Firefox 136.0.4 and Firefox ESR versions 115.21.1 and 128.8.1.