Debian Firefox vulnerabilities
1,550 known vulnerabilities affecting debian/firefox.
Total CVEs
1,550
CISA KEV
11
actively exploited
Public exploits
39
Exploited in wild
20
Severity breakdown
CRITICAL333HIGH633MEDIUM542LOW42
Vulnerabilities
Page 5 of 78
CVE-2026-2791P3CRITICALCVSS 9.8fixed in firefox 148.0-1 (sid)2026
CVE-2026-2791 [CRITICAL] CVE-2026-2791: firefox - Mitigation bypass in the Networking: Cache component. This vulnerability affects...
Mitigation bypass in the Networking: Cache component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Scope: local
sid: resolved (fixed in 148.0-1)
debian
CVE-2026-5731P3CRITICALCVSS 9.8fixed in firefox 149.0.2-1 (sid)2026
CVE-2026-5731 [CRITICAL] CVE-2026-5731: firefox - Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunder...
Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.0.2, Firefox ESR < 115.34.1,
debian
CVE-2025-14860P3CRITICALCVSS 9.8fixed in firefox 146.0.1-1 (sid)2025
CVE-2025-14860 [CRITICAL] CVE-2025-14860: firefox - Use-after-free in the Disability Access APIs component. This vulnerability affec...
Use-after-free in the Disability Access APIs component. This vulnerability affects Firefox < 146.0.1.
Scope: local
sid: resolved (fixed in 146.0.1-1)
debian
CVE-2026-2790P3CRITICALCVSS 9.8fixed in firefox 148.0-1 (sid)2026
CVE-2026-2790 [CRITICAL] CVE-2026-2790: firefox - Same-origin policy bypass in the Networking: JAR component. This vulnerability a...
Same-origin policy bypass in the Networking: JAR component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Scope: local
sid: resolved (fixed in 148.0-1)
debian
CVE-2022-24713P3HIGHCVSS 7.5fixed in firefox 99.0-1 (sid)2022
CVE-2022-24713 [HIGH] CVE-2022-24713: firefox - regex is an implementation of regular expressions for the Rust language. The reg...
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of t
debian
CVE-2021-32810P3CRITICALCVSS 9.8fixed in firefox 93.0-1 (sid)2021
CVE-2021-32810 [CRITICAL] CVE-2021-32810: firefox - crossbeam-deque is a package of work-stealing deques for building task scheduler...
crossbeam-deque is a package of work-stealing deques for building task schedulers when programming in Rust. In versions prior to 0.7.4 and 0.8.0, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double f
debian
CVE-2020-6823P3CRITICALCVSS 9.8fixed in firefox 75.0-1 (sid)2020
CVE-2020-6823 [CRITICAL] CVE-2020-6823: firefox - A malicious extension could have called <code>browser.identity.launchWebAuthFlow...
A malicious extension could have called browser.identity.launchWebAuthFlow, controlling the redirect_uri, and through the Promise returned, obtain the Auth code and gain access to the user's account at the service provider. This vulnerability affects Firefox < 75.
Scope: local
sid: resolved (fixed in 75.0-1)
debian
CVE-2021-30547P3HIGHCVSS 8.8fixed in chromium 93.0.4577.82-1 (bookworm)2021
CVE-2021-30547 [HIGH] CVE-2021-30547: chromium - Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a r...
Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 93.0.4577.82-1)
bullseye: resolved (fixed in 93.0.4577.82-1)
forky: resolved (fixed in 93.0.4577.82-1)
sid: resolved (fixed in 93.0.4577.82-1)
trixie: res
debian
CVE-2026-4698P3CRITICALCVSS 9.8fixed in firefox 149.0-1 (sid)2026
CVE-2026-4698 [CRITICAL] CVE-2026-4698: firefox - JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability a...
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Scope: local
sid: resolved (fixed in 149.0-1)
debian
CVE-2026-2773P3CRITICALCVSS 9.8fixed in firefox 148.0-1 (sid)2026
CVE-2026-2773 [CRITICAL] CVE-2026-2773: firefox - Incorrect boundary conditions in the Web Audio component. This vulnerability aff...
Incorrect boundary conditions in the Web Audio component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Scope: local
sid: resolved (fixed in 148.0-1)
debian
CVE-2026-2775P3CRITICALCVSS 9.8fixed in firefox 148.0-1 (sid)2026
CVE-2026-2775 [CRITICAL] CVE-2026-2775: firefox - Mitigation bypass in the DOM: HTML Parser component. This vulnerability affects ...
Mitigation bypass in the DOM: HTML Parser component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Scope: local
sid: resolved (fixed in 148.0-1)
debian
CVE-2024-9392P3CRITICALCVSS 9.8fixed in firefox 131.0-1 (sid)2024
CVE-2024-9392 [CRITICAL] CVE-2024-9392: firefox - A compromised content process could have allowed for the arbitrary loading of cr...
A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131.
Scope: local
sid: resolved (fixed in 131.0-1)
debian
CVE-2026-2757P3CRITICALCVSS 9.8fixed in firefox 148.0-1 (sid)2026
CVE-2026-2757 [CRITICAL] CVE-2026-2757: firefox - Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnera...
Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Scope: local
sid: resolved (fixed in 148.0-1)
debian
CVE-2026-4696P3CRITICALCVSS 9.8fixed in firefox 149.0-1 (sid)2026
CVE-2026-4696 [CRITICAL] CVE-2026-4696: firefox - Use-after-free in the Layout: Text and Fonts component. This vulnerability affec...
Use-after-free in the Layout: Text and Fonts component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Scope: local
sid: resolved (fixed in 149.0-1)
debian
CVE-2026-4691P3CRITICALCVSS 9.8fixed in firefox 149.0-1 (sid)2026
CVE-2026-4691 [CRITICAL] CVE-2026-4691: firefox - Use-after-free in the CSS Parsing and Computation component. This vulnerability ...
Use-after-free in the CSS Parsing and Computation component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Scope: local
sid: resolved (fixed in 149.0-1)
debian
CVE-2025-14324P3CRITICALCVSS 9.8fixed in firefox 146.0-1 (sid)2025
CVE-2025-14324 [CRITICAL] CVE-2025-14324: firefox - JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability a...
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Scope: local
sid: resolved (fixed in 146.0-1)
debian
CVE-2026-2758P3CRITICALCVSS 9.8fixed in firefox 148.0-1 (sid)2026
CVE-2026-2758 [CRITICAL] CVE-2026-2758: firefox - Use-after-free in the JavaScript: GC component. This vulnerability affects Firef...
Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Scope: local
sid: resolved (fixed in 148.0-1)
debian
CVE-2026-4702P3CRITICALCVSS 9.8fixed in firefox 149.0-1 (sid)2026
CVE-2026-4702 [CRITICAL] CVE-2026-4702: firefox - JIT miscompilation in the JavaScript Engine component. This vulnerability affect...
JIT miscompilation in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Scope: local
sid: resolved (fixed in 149.0-1)
debian
CVE-2026-2770P3CRITICALCVSS 9.8fixed in firefox 148.0-1 (sid)2026
CVE-2026-2770 [CRITICAL] CVE-2026-2770: firefox - Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability affec...
Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Scope: local
sid: resolved (fixed in 148.0-1)
debian
CVE-2026-2763P3CRITICALCVSS 9.8fixed in firefox 148.0-1 (sid)2026
CVE-2026-2763 [CRITICAL] CVE-2026-2763: firefox - Use-after-free in the JavaScript Engine component. This vulnerability affects Fi...
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
Scope: local
sid: resolved (fixed in 148.0-1)
debian