Debian Firefox vulnerabilities

CVE-2026-4693 [HIGH] CVE-2026-4693: firefox - Incorrect boundary conditions in the Audio/Video: Playback component. This vulne... Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Scope: local sid: resolved (fixed in 149.0-1)

CVE-2026-4686 [HIGH] CVE-2026-4686: firefox - Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerab... Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Scope: local sid: resolved (fixed in 149.0-1)

CVE-2026-24869 [HIGH] CVE-2026-24869: firefox - Use-after-free in the Layout: Scrolling and Overflow component. This vulnerabili... Use-after-free in the Layout: Scrolling and Overflow component. This vulnerability affects Firefox < 147.0.2. Scope: local sid: resolved (fixed in 147.0.2-1)

CVE-2026-3847 [HIGH] CVE-2026-3847: firefox - Memory safety bugs present in Firefox 148.0.2. Some of these bugs showed evidenc... Memory safety bugs present in Firefox 148.0.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 148.0.2. Scope: local sid: resolved (fixed in 148.0.2-1)

CVE-2026-0877 [HIGH] CVE-2026-0877: firefox - Mitigation bypass in the DOM: Security component. This vulnerability affects Fir... Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Scope: local sid: resolved (fixed in 147.0-1)

CVE-2026-4694 [HIGH] CVE-2026-4694: firefox - Incorrect boundary conditions, integer overflow in the Graphics component. This ... Incorrect boundary conditions, integer overflow in the Graphics component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Scope: local sid: resolved (fixed in 149.0-1)

CVE-2026-0888 [MEDIUM] CVE-2026-0888: firefox - Information disclosure in the XML component. This vulnerability affects Firefox ... Information disclosure in the XML component. This vulnerability affects Firefox < 147 and Thunderbird < 147. Scope: local sid: resolved (fixed in 147.0-1)

CVE-2026-0885 [MEDIUM] CVE-2026-0885: firefox - Use-after-free in the JavaScript: GC component. This vulnerability affects Firef... Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Scope: local sid: resolved (fixed in 147.0-1)

CVE-2026-0890 [MEDIUM] CVE-2026-0890: firefox - Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerab... Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Scope: local sid: resolved (fixed in 147.0-1)

CVE-2026-24868 [MEDIUM] CVE-2026-24868: firefox - Mitigation bypass in the Privacy: Anti-Tracking component. This vulnerability af... Mitigation bypass in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 147.0.2. Scope: local sid: resolved (fixed in 147.0.2-1)

CVE-2026-3846 [MEDIUM] CVE-2026-3846: firefox - Same-origin policy bypass in the CSS Parsing and Computation component. This vul... Same-origin policy bypass in the CSS Parsing and Computation component. This vulnerability affects Firefox < 148.0.2. Scope: local sid: resolved (fixed in 148.0.2-1)

CVE-2026-2802 [MEDIUM] CVE-2026-2802: firefox - Race condition in the JavaScript: GC component. This vulnerability affects Firef... Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148. Scope: local sid: resolved (fixed in 148.0-1)

CVE-2026-2804 [MEDIUM] CVE-2026-2804: firefox - Use-after-free in the JavaScript: WebAssembly component. This vulnerability affe... Use-after-free in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148. Scope: local sid: resolved (fixed in 148.0-1)

CVE-2026-4728 [MEDIUM] CVE-2026-4728: firefox - Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affec... Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 149 and Thunderbird < 149. Scope: local sid: resolved (fixed in 149.0-1)

CVE-2026-0887 [MEDIUM] CVE-2026-0887: firefox - Clickjacking issue, information disclosure in the PDF Viewer component. This vul... Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Scope: local sid: resolved (fixed in 147.0-1)

CVE-2026-0886 [MEDIUM] CVE-2026-0886: firefox - Incorrect boundary conditions in the Graphics component. This vulnerability affe... Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Scope: local sid: resolved (fixed in 147.0-1)

CVE-2026-0883 [MEDIUM] CVE-2026-0883: firefox - Information disclosure in the Networking component. This vulnerability affects F... Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Scope: local sid: resolved (fixed in 147.0-1)

CVE-2026-3845 [HIGH] CVE-2026-3845: firefox - Heap buffer overflow in the Audio/Video: Playback component in Firefox for Andro... Heap buffer overflow in the Audio/Video: Playback component in Firefox for Android. This vulnerability affects Firefox < 148.0.2. Scope: local sid: resolved

CVE-2026-2634 [CRITICAL] CVE-2026-2634: firefox - Malicious scripts could cause desynchronization between the address bar and web ... Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability affects Firefox for iOS < 147.4. Scope: local sid: resolved

CVE-2026-2032 [MEDIUM] CVE-2026-2032: firefox - Malicious scripts that interrupt new tab page loading could cause desynchronizat... Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability affects Firefox for iOS < 147.2.1. Scope: local sid: resolved