Mozilla Firefox vulnerabilities

CVE-2026-6786 [HIGH] CWE-125 CVE-2026-6786: Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunder

CVE-2026-41907 [HIGH] CWE-787 uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality A flaw was found in uuid. The library's versions v3, v5, and v6 do not adequately check the size of external memory buffers provided by applications. This oversight allows the library to write data beyond the designated buffer limits without signaling an error. Such out-of-bounds writes can

CVE-2026-41305 [MEDIUM] CWE-79 postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags A flaw was found in PostCSS. This vulnerability allows a remote attacker to perform Cross-Site Scripting (XSS) by submitting specially crafted CSS. When PostCSS processes and re-stringifies this CSS for embedding within HTML `` tags, it fails to properly escape `` sequences. This oversight

CVE-2026-41988 [LOW] CWE-787 uuid: uuid: Unexpected data writes when using external output buffers with specific UUID versions uuid: uuid: Unexpected data writes when using external output buffers with specific UUID versions A flaw was found in uuid. When external output buffers are used with UUID versions 3, 5, or 6, an attacker with local access may be able to cause unexpected data writes. This vulnerability could lead to low impact data integrity issues. UUID version 4 is not affected. Pack

CVE-2026-6771 [CRITICAL] CWE-288 CVE-2026-6771: Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150, Firef Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6748 [CRITICAL] CWE-457 CVE-2026-6748: Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firef Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6768 [CRITICAL] CWE-288 CVE-2026-6768: Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

CVE-2026-6760 [CRITICAL] CWE-288 CVE-2026-6760: Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

CVE-2026-6752 [HIGH] CWE-119 CVE-2026-6752: Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6753 [HIGH] CWE-119 CVE-2026-6753: Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6773 [HIGH] CWE-190 CVE-2026-6773: Denial-of-service due to integer overflow in the Graphics: WebGPU component. This vulnerability was Denial-of-service due to integer overflow in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

CVE-2026-6751 [HIGH] CWE-457 CVE-2026-6751: Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firef Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6749 [HIGH] CWE-908 CVE-2026-6749: Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnera Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6766 [HIGH] CWE-754 CVE-2026-6766: Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Fir Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6784 [HIGH] CWE-125 CVE-2026-6784: Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

CVE-2026-6761 [HIGH] CWE-269 CVE-2026-6761: Privilege escalation in the Networking component. This vulnerability was fixed in Firefox 150, Firef Privilege escalation in the Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6781 [HIGH] CWE-400 CVE-2026-6781: Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 15 Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

CVE-2026-6746 [HIGH] CWE-416 CVE-2026-6746: Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firef Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-22020 [HIGH] CWE-787 openjdk: libpng: OpenJDK: Update LibPNG (Oracle CPU 2026-04) openjdk: libpng: OpenJDK: Update LibPNG (Oracle CPU 2026-04) No description is available for this CVE. Package: java-11-openjdk (Red Hat build of OpenJDK 11 ELS) - Affected Package: java-11-openjdk-portable (Red Hat build of OpenJDK 11 ELS) - Affected Package: java-11-openjdk-windows (Red Hat build of OpenJDK 11 ELS) - Affected Package: java-17-openjdk-portable (Red Hat build of OpenJDK 17) - Affected

CVE-2026-6776 [HIGH] CWE-119 CVE-2026-6776: Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in F Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.