Mozilla Firefox vulnerabilities

CVE-2026-0882 [HIGH] CWE-416 CVE-2026-0882: Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32 Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CVE-2026-0889 [HIGH] CWE-400 CVE-2026-0889: Denial-of-service in the DOM: Service Workers component. This vulnerability was fixed in Firefox 147 Denial-of-service in the DOM: Service Workers component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.

CVE-2026-0891 [HIGH] CWE-119 CVE-2026-0891: Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderb

CVE-2026-0880 [HIGH] CWE-190 CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Fi Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CVE-2026-0878 [HIGH] CWE-20 CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vul Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CVE-2026-0890 [MEDIUM] CWE-290 CVE-2026-0890: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability was fixed in F Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CVE-2026-0887 [MEDIUM] CWE-497 CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CVE-2026-0885 [MEDIUM] CWE-416 CVE-2026-0885: Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 147, Firefox Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CVE-2026-0888 [MEDIUM] CWE-200 CVE-2026-0888: Information disclosure in the XML component. This vulnerability was fixed in Firefox 147 and Thunder Information disclosure in the XML component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.

CVE-2026-0883 [MEDIUM] CWE-200 CVE-2026-0883: Information disclosure in the Networking component. This vulnerability was fixed in Firefox 147, Fir Information disclosure in the Networking component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CVE-2026-0886 [MEDIUM] CWE-119 CVE-2026-0886: Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147 Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CVE-2025-14860 [CRITICAL] CWE-416 CVE-2025-14860: Use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 146. Use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 146.0.1.

CVE-2025-14861 [HIGH] CWE-119 CVE-2025-14861: Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption a Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 146.0.1.

CVE-2025-14744 [MEDIUM] CWE-451 CVE-2025-14744: Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Fi Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability was fixed in Firefox for iOS 144.0.

CVE-2025-14324 [CRITICAL] CWE-94 CVE-2025-14324: JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

CVE-2025-14330 [CRITICAL] CWE-119 CVE-2025-14330: JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

CVE-2025-14326 [CRITICAL] CWE-416 CVE-2025-14326: Use-after-free in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 146 and Th Use-after-free in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 146 and Thunderbird 146.

CVE-2025-14321 [CRITICAL] CWE-416 CVE-2025-14321: Use-after-free in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 146, Fire Use-after-free in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

CVE-2025-14327 [HIGH] CWE-290 CVE-2025-14327: Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunde Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunderbird 146, Firefox ESR 140.7, and Thunderbird 140.7.

CVE-2025-14329 [HIGH] CVE-2025-14329: Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 146, Firef Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.