Issued:
2026-03-09
Updated:
2026-03-09

RHSA-2026:3984 - Important: firefox security update

Synopsis

Important: firefox security update

Type/Severity

Security Advisory Important

Topic

An update for firefox is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

  • libvpx: Heap buffer overflow in libvpx (CVE-2026-2447)

  • firefox: Invalid pointer in the JavaScript Engine component (CVE-2026-2785)

  • firefox: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2793)

  • firefox: Undefined behavior in the DOM: Core & HTML component (CVE-2026-2771)

  • firefox: Integer overflow in the Audio/Video component (CVE-2026-2774)

  • firefox: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software (CVE-2026-2776)

  • firefox: Integer overflow in the Libraries component in NSS (CVE-2026-2781)

  • firefox: Use-after-free in the JavaScript Engine: JIT component (CVE-2026-2766)

  • firefox: Use-after-free in the Storage: IndexedDB component (CVE-2026-2769)

  • firefox: Use-after-free in the DOM: Window and Location component (CVE-2026-2787)

  • firefox: Sandbox escape in the Storage: IndexedDB component (CVE-2026-2768)

  • firefox: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component (CVE-2026-2783)

  • firefox: Incorrect boundary conditions in the Audio/Video: GMP component (CVE-2026-2788)

  • firefox: Mitigation bypass in the DOM: Security component (CVE-2026-2784)

  • firefox: Incorrect boundary conditions in the Graphics: ImageLib component (CVE-2026-2759)

  • firefox: Integer overflow in the JavaScript: Standard Library component (CVE-2026-2762)

  • firefox: Sandbox escape in the Graphics: WebRender component (CVE-2026-2761)

  • firefox: Privilege escalation in the Messaging System component (CVE-2026-2777)

  • firefox: Same-origin policy bypass in the Networking: JAR component (CVE-2026-2790)

  • firefox: Mitigation bypass in the DOM: HTML Parser component (CVE-2026-2775)

  • firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2763)

  • firefox: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2792)

  • firefox: Incorrect boundary conditions in the Web Audio component (CVE-2026-2773)

  • firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2786)

  • firefox: Use-after-free in the Graphics: ImageLib component (CVE-2026-2789)

  • firefox: thunderbird: Incorrect boundary conditions in the WebRTC: Audio/Video component (CVE-2026-2757)

  • firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component (CVE-2026-2760)

  • firefox: Use-after-free in the Audio/Video: Playback component (CVE-2026-2772)

  • firefox: Incorrect boundary conditions in the Networking: JAR component (CVE-2026-2779)

  • firefox: Use-after-free in the JavaScript: WebAssembly component (CVE-2026-2767)

  • firefox: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component (CVE-2026-2764)

  • firefox: Privilege escalation in the Netmonitor component (CVE-2026-2782)

  • firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2765)

  • firefox: Privilege escalation in the Netmonitor component (CVE-2026-2780)

  • firefox: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component (CVE-2026-2778)

  • firefox: Use-after-free in the JavaScript: GC component (CVE-2026-2758)

  • firefox: Mitigation bypass in the Networking: Cache component (CVE-2026-2791)

  • firefox: Use-after-free in the DOM: Bindings (WebIDL) component (CVE-2026-2770)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

ProductVersionArch
Red Hat Enterprise Linux Server - Extended Life Cycle Support7x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian7ppc64le
Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian7ppc64
Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems)7s390x

Updated Packages

  • firefox-140.8.0-2.el7_9.ppc64.rpm
  • firefox-140.8.0-2.el7_9.src.rpm
  • firefox-debuginfo-140.8.0-2.el7_9.s390x.rpm
  • firefox-140.8.0-2.el7_9.ppc64le.rpm
  • firefox-debuginfo-140.8.0-2.el7_9.ppc64.rpm
  • firefox-140.8.0-2.el7_9.s390x.rpm
  • firefox-140.8.0-2.el7_9.x86_64.rpm
  • firefox-debuginfo-140.8.0-2.el7_9.ppc64le.rpm

Fixes

CVEs

References

Additional information