Mozilla Firefox vulnerabilities

CVE-2026-2772 [CRITICAL] CWE-416 CVE-2026-2772: Use-after-free in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 148, Use-after-free in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CVE-2026-2776 [CRITICAL] CWE-119 CVE-2026-2776: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CVE-2026-2762 [CRITICAL] CWE-190 CVE-2026-2762: Integer overflow in the JavaScript: Standard Library component. This vulnerability was fixed in Fire Integer overflow in the JavaScript: Standard Library component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CVE-2026-2791 [CRITICAL] CWE-288 CVE-2026-2791: Mitigation bypass in the Networking: Cache component. This vulnerability was fixed in Firefox 148, F Mitigation bypass in the Networking: Cache component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CVE-2026-2765 [CRITICAL] CWE-416 CVE-2026-2765: Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Fire Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CVE-2026-2782 [CRITICAL] CWE-269 CVE-2026-2782: Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 148, Firef Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CVE-2026-2773 [CRITICAL] CWE-119 CVE-2026-2773: Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 14 Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CVE-2026-2763 [CRITICAL] CWE-416 CVE-2026-2763: Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Fire Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CVE-2026-2781 [CRITICAL] CWE-190 CVE-2026-2781: Integer overflow in the Libraries component in NSS. This vulnerability was fixed in Firefox 148, Fir Integer overflow in the Libraries component in NSS. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, Thunderbird 140.8, and Firefox ESR 115.35.

CVE-2026-2777 [CRITICAL] CWE-269 CVE-2026-2777: Privilege escalation in the Messaging System component. This vulnerability was fixed in Firefox 148, Privilege escalation in the Messaging System component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CVE-2026-2799 [CRITICAL] CWE-416 CVE-2026-2799: Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Th Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

CVE-2026-2768 [CRITICAL] CWE-284 CVE-2026-2768: Sandbox escape in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Fir Sandbox escape in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CVE-2026-2775 [CRITICAL] CWE-288 CVE-2026-2775: Mitigation bypass in the DOM: HTML Parser component. This vulnerability was fixed in Firefox 148, Fi Mitigation bypass in the DOM: HTML Parser component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CVE-2026-2792 [CRITICAL] CWE-787 CVE-2026-2792: Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thun

CVE-2026-2774 [CRITICAL] CWE-190 CVE-2026-2774: Integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 148, Firefox Integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CVE-2026-2796 [CRITICAL] CWE-843 CVE-2026-2796: JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

CVE-2026-2807 [CRITICAL] CWE-787 CVE-2026-2807: Memory safety bugs present in Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of Memory safety bugs present in Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

CVE-2026-2780 [CRITICAL] CWE-269 CVE-2026-2780: Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 148, Firef Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CVE-2026-2778 [CRITICAL] CWE-119 CVE-2026-2778: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerab Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CVE-2026-2784 [CRITICAL] CWE-288 CVE-2026-2784: Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 148, Firef Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.