Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-2772

RHSA-2026:3339: firefox security update (Important)
Back to all
CVE

CVE-2026-2772

RHSA-2026:3339: firefox security update (Important)

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

  • libvpx: Heap buffer overflow in libvpx (CVE-2026-2447)
  • firefox: Invalid pointer in the JavaScript Engine component (CVE-2026-2785)
  • firefox: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2793)
  • firefox: Undefined behavior in the DOM: Core & HTML component (CVE-2026-2771)
  • firefox: Integer overflow in the Audio/Video component (CVE-2026-2774)
  • firefox: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software (CVE-2026-2776)
  • firefox: Integer overflow in the Libraries component in NSS (CVE-2026-2781)
  • firefox: Use-after-free in the JavaScript Engine: JIT component (CVE-2026-2766)
  • firefox: Use-after-free in the Storage: IndexedDB component (CVE-2026-2769)
  • firefox: Use-after-free in the DOM: Window and Location component (CVE-2026-2787)
  • firefox: Sandbox escape in the Storage: IndexedDB component (CVE-2026-2768)
  • firefox: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component (CVE-2026-2783)
  • firefox: Incorrect boundary conditions in the Audio/Video: GMP component (CVE-2026-2788)
  • firefox: Mitigation bypass in the DOM: Security component (CVE-2026-2784)
  • firefox: Incorrect boundary conditions in the Graphics: ImageLib component (CVE-2026-2759)
  • firefox: Integer overflow in the JavaScript: Standard Library component (CVE-2026-2762)
  • firefox: Sandbox escape in the Graphics: WebRender component (CVE-2026-2761)
  • firefox: Privilege escalation in the Messaging System component (CVE-2026-2777)
  • firefox: Same-origin policy bypass in the Networking: JAR component (CVE-2026-2790)
  • firefox: Mitigation bypass in the DOM: HTML Parser component (CVE-2026-2775)
  • firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2763)
  • firefox: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2792)
  • firefox: Incorrect boundary conditions in the Web Audio component (CVE-2026-2773)
  • firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2786)
  • firefox: Use-after-free in the Graphics: ImageLib component (CVE-2026-2789)
  • firefox: thunderbird: Incorrect boundary conditions in the WebRTC: Audio/Video component (CVE-2026-2757)
  • firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component (CVE-2026-2760)
  • firefox: Use-after-free in the Audio/Video: Playback component (CVE-2026-2772)
  • firefox: Incorrect boundary conditions in the Networking: JAR component (CVE-2026-2779)
  • firefox: Use-after-free in the JavaScript: WebAssembly component (CVE-2026-2767)
  • firefox: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component (CVE-2026-2764)
  • firefox: Privilege escalation in the Netmonitor component (CVE-2026-2782)
  • firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2765)
  • firefox: Privilege escalation in the Netmonitor component (CVE-2026-2780)
  • firefox: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component (CVE-2026-2778)
  • firefox: Use-after-free in the JavaScript: GC component (CVE-2026-2758)
  • firefox: Mitigation bypass in the Networking: Cache component (CVE-2026-2791)
  • firefox: Use-after-free in the DOM: Bindings (WebIDL) component (CVE-2026-2770)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
9.8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
-
C
H
U
-

Related Resources

No items found.

References

https://access.redhat.com/errata/RHSA-2026:3339, https://access.redhat.com/security/cve/CVE-2026-2447, https://access.redhat.com/security/cve/CVE-2026-2757, https://access.redhat.com/security/cve/CVE-2026-2758, https://access.redhat.com/security/cve/CVE-2026-2759, https://access.redhat.com/security/cve/CVE-2026-2760, https://access.redhat.com/security/cve/CVE-2026-2761, https://access.redhat.com/security/cve/CVE-2026-2762, https://access.redhat.com/security/cve/CVE-2026-2763, https://access.redhat.com/security/cve/CVE-2026-2764, https://access.redhat.com/security/cve/CVE-2026-2765, https://access.redhat.com/security/cve/CVE-2026-2766, https://access.redhat.com/security/cve/CVE-2026-2767, https://access.redhat.com/security/cve/CVE-2026-2768, https://access.redhat.com/security/cve/CVE-2026-2769, https://access.redhat.com/security/cve/CVE-2026-2770, https://access.redhat.com/security/cve/CVE-2026-2771, https://access.redhat.com/security/cve/CVE-2026-2772, https://access.redhat.com/security/cve/CVE-2026-2773, https://access.redhat.com/security/cve/CVE-2026-2774, https://access.redhat.com/security/cve/CVE-2026-2775, https://access.redhat.com/security/cve/CVE-2026-2776, https://access.redhat.com/security/cve/CVE-2026-2777, https://access.redhat.com/security/cve/CVE-2026-2778, https://access.redhat.com/security/cve/CVE-2026-2779, https://access.redhat.com/security/cve/CVE-2026-2780, https://access.redhat.com/security/cve/CVE-2026-2781, https://access.redhat.com/security/cve/CVE-2026-2782, https://access.redhat.com/security/cve/CVE-2026-2783, https://access.redhat.com/security/cve/CVE-2026-2784, https://access.redhat.com/security/cve/CVE-2026-2785, https://access.redhat.com/security/cve/CVE-2026-2786, https://access.redhat.com/security/cve/CVE-2026-2787, https://access.redhat.com/security/cve/CVE-2026-2788, https://access.redhat.com/security/cve/CVE-2026-2789, https://access.redhat.com/security/cve/CVE-2026-2790, https://access.redhat.com/security/cve/CVE-2026-2791, https://access.redhat.com/security/cve/CVE-2026-2792, https://access.redhat.com/security/cve/CVE-2026-2793

Severity

0

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
0
EPSS Probability
0.00021%
EPSS Percentile
0.06021%
Introduced Version
0
Fix Available
0:140.8.0-2.el9_7,0:140.8.0-1.el9_7,0:140.8.0-1.el8_10,0:140.8.0-2.el8_10,140.8.0esr-1~deb12u1,1:140.8.0esr-1~deb12u1,140.8.0esr-1~deb11u1,1:140.8.0esr-1~deb11u1,140.8.0esr-1~deb13u1,1:140.8.0esr-1~deb13u1,0:140.8.0-1.0.1.el9_7,0:140.8.0-2.0.1.el9_7,0:140.8.0-1.0.1.el8_10,0:140.8.0-2.0.1.el8_10,0:140.8.0-1.amzn2023.0.1,0:140.8.0-1.amzn2.0.1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading