Debian Firefox-Esr vulnerabilities

CVE-2026-0877 [HIGH] CVE-2026-0877: firefox - Mitigation bypass in the DOM: Security component. This vulnerability affects Fir... Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Scope: local sid: resolved (fixed in 147.0-1)

CVE-2026-4694 [HIGH] CVE-2026-4694: firefox - Incorrect boundary conditions, integer overflow in the Graphics component. This ... Incorrect boundary conditions, integer overflow in the Graphics component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Scope: local sid: resolved (fixed in 149.0-1)

CVE-2026-0885 [MEDIUM] CVE-2026-0885: firefox - Use-after-free in the JavaScript: GC component. This vulnerability affects Firef... Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Scope: local sid: resolved (fixed in 147.0-1)

CVE-2026-0890 [MEDIUM] CVE-2026-0890: firefox - Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerab... Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Scope: local sid: resolved (fixed in 147.0-1)

CVE-2026-0887 [MEDIUM] CVE-2026-0887: firefox - Clickjacking issue, information disclosure in the PDF Viewer component. This vul... Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Scope: local sid: resolved (fixed in 147.0-1)

CVE-2026-0886 [MEDIUM] CVE-2026-0886: firefox - Incorrect boundary conditions in the Graphics component. This vulnerability affe... Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Scope: local sid: resolved (fixed in 147.0-1)

CVE-2026-0883 [MEDIUM] CVE-2026-0883: firefox - Information disclosure in the Networking component. This vulnerability affects F... Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Scope: local sid: resolved (fixed in 147.0-1)

CVE-2026-2447 [HIGH] CVE-2026-2447: firefox - Heap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Fi... Heap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird < 140.7.2, and Thunderbird < 147.0.2. Scope: local sid: resolved (fixed in 147.0.4-1)

CVE-2026-4711 [CRITICAL] CVE-2026-4711: firefox - Use-after-free in the Widget: Cocoa component. This vulnerability affects Firefo... Use-after-free in the Widget: Cocoa component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Scope: local sid: resolved

CVE-2026-4712 [HIGH] CVE-2026-4712: firefox - Information disclosure in the Widget: Cocoa component. This vulnerability affect... Information disclosure in the Widget: Cocoa component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Scope: local sid: resolved

CVE-2025-11710 [CRITICAL] CVE-2025-11710: firefox - A compromised web process using malicious IPC messages could have caused the pri... A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. This vulnerability affects Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. Scope: local sid: resolved (fixed in 144.0-1)

CVE-2025-1016 [CRITICAL] CVE-2025-1016: firefox - Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, ... Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 135, Firefox ESR < 115.20, Fi

CVE-2025-11708 [CRITICAL] CVE-2025-11708: firefox - Use-after-free in MediaTrackGraphImpl::GetInstance() This vulnerability affects ... Use-after-free in MediaTrackGraphImpl::GetInstance() This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. Scope: local sid: resolved (fixed in 144.0-1)

CVE-2025-4083 [CRITICAL] CVE-2025-4083: firefox - A process isolation vulnerability in Thunderbird stemmed from improper handling ... A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird <

CVE-2025-4918 [CRITICAL] CVE-2025-4918: firefox - An attacker was able to perform an out-of-bounds read or write on a JavaScript `... An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability affects Firefox < 138.0.4, Firefox ESR < 128.10.1, Firefox ESR < 115.23.1, Thunderbird < 128.10.2, and Thunderbird < 138.0.2. Scope: local sid: resolved (fixed in 138.0.4-1)

CVE-2025-14324 [CRITICAL] CVE-2025-14324: firefox - JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability a... JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. Scope: local sid: resolved (fixed in 146.0-1)

CVE-2025-9179 [CRITICAL] CVE-2025-9179: firefox - An attacker was able to perform memory corruption in the GMP process which proce... An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and T

CVE-2025-14330 [CRITICAL] CVE-2025-14330: firefox - JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability a... JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. Scope: local sid: resolved (fixed in 146.0-1)

CVE-2025-8028 [CRITICAL] CVE-2025-8028: firefox - On arm64, a WASM `br_table` instruction with a lot of entries could lead to the ... On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. Scop

CVE-2025-1009 [CRITICAL] CVE-2025-1009: firefox - An attacker could have caused a use-after-free via crafted XSLT data, leading to... An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. This vulnerability affects Firefox < 135, Firefox ESR < 115.20, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. Scope: local sid: resolved (fixed in 135.0-1)