Security Advisory

Mozilla Product Security Update Advisory

  • Feb 26 2026
Mozilla Product Security Update Advisory

Overview

 

Mozilla has released security updates to fix vulnerabilities in its products. Users of affected products are advised to update to the latest version.

 

 

Affected Products

 

CVE-2026-2634

 

Firefox for iOS before 147.4

 

CVE-2026-2757, CVE-2026-2758, CVE-2026-2759, CVE-2026-2760, CVE-2026-2761, CVE-2026-2763, CVE-2026-2764, CVE-2026-2770, CVE-2026-2771, CVE-2026-2772, CVE-2026-2773, CVE-2026-2774, CVE-2026-2775, CVE-2026-2776, CVE-2026-2777, CVE-2026-2778, CVE-2026-2793

 

Firefox version: 148 and below
Firefox ESR version: 115.33 and below
Firefox ESR version: 140.8 or lower
Thunderbird version: 148 or lower
Thunderbird version: 140.8 or lower

 

CVE-2026-2762, CVE-2026-2765, CVE-2026-2766, CVE-2026-2767, CVE-2026-2768, CVE-2026-2792

 

Firefox version: 148 and below
Firefox ESR version: 140.8 and below
Thunderbird version: 148 or lower
Thunderbird version: below 140.8

 

CVE-2026-2794

 

Firefox version: below 148

 

CVE-2026-2795, CVE-2026-2796, CVE-2026-2797, CVE-2026-2799, CVE-2026-2807

 

Firefox version: below 148
Thunderbird version: less than 148

 

 

Resolved Vulnerabilities

 

Vulnerability in Firefox iOS that allows script-based navigation to display web content masquerading as a trusted domain (CVE-2026-2634)
Incorrect boundary condition handling vulnerability in the WebRTC audio/video component (CVE-2026-2757)
Use-after-free vulnerability in the JavaScript: GC component (CVE-2026-2758)
Incorrect boundary condition handling vulnerability in the Graphics: ImageLib component (CVE-2026-2759)
Sandbox escape vulnerability due to malformed boundary conditions in the Graphics: WebRender component (CVE-2026-2760)
Sandbox escape vulnerability in the Graphics: WebRender component (CVE-2026-2761)
Integer overflow vulnerability in JavaScript standard library components (CVE-2026-2762)
Use-after-free vulnerability in the JavaScript Engine component (CVE-2026-2763)
JIT miscompilation and use-after-free vulnerability in JavaScript Engine: JIT components (CVE-2026-2764)
Use-after-free vulnerability in JavaScript Engine components (CVE-2026-2765)
Use-after-free vulnerability in JavaScript Engine: JIT components (CVE-2026-2766)
Use-after-free vulnerability in the JavaScript: WebAssembly component (CVE-2026-2767)
Sandbox escape vulnerability in the Storage: IndexedDB component (CVE-2026-2768)
Use-after-free vulnerability in the DOM: Bindings (WebIDL) component (CVE-2026-2770)
Undefined behavior vulnerability in the DOM: Core & HTML component (CVE-2026-2771)
Use-after-free vulnerability in the Audio/Video: Playback component (CVE-2026-2772)
Incorrect Boundary Condition Handling Vulnerability in the Web Audio component (CVE-2026-2773)
Integer overflow vulnerability in the Audio/Video component (CVE-2026-2774)
Mitigation bypass vulnerability in the DOM: HTML Parser component (CVE-2026-2775)
Sandbox escape vulnerability due to incorrect boundary conditions in the Telemetry component of External Software (CVE-2026-2776)
Privilege escalation vulnerability in the Messaging System component (CVE-2026-2777)
Sandbox escape vulnerability due to malformed boundary conditions in DOM: Core & HTML components (CVE-2026-2778)
Memory safety vulnerability fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148, and Thunderbird 148 (CVE-2026-2792)
Memory safety vulnerability fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2793)
Information disclosure vulnerability due to uninitialized memory in Firefox and Firefox Focus for Android (CVE-2026-2794)
Use-after-free vulnerability in JavaScript: GC components (CVE-2026-2795)
JIT miscompilation vulnerability in the JavaScript: WebAssembly component (CVE-2026-2796)
Use-afer-free vulnerability in JavaScript: GC components (CVE-2026-2797)
Post-release use vulnerability in DOM: Core & HTML components (CVE-2026-2799)
Memory safety vulnerability fixed in Firefox 148 and Thunderbird 148 (CVE-2026-2807)

 

 

Vulnerability Patches

 

Vulnerability Patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2026-2634

 

Firefox for iOS 147.4

 

CVE-2026-2757, CVE-2026-2758, CVE-2026-2759, CVE-2026-2760, CVE-2026-2761, CVE-2026-2763, CVE-2026-2764, CVE-2026-2770, CVE-2026-2771, CVE-2026-2772, CVE-2026-2773, CVE-2026-2774, CVE-2026-2775, CVE-2026-2776, CVE-2026-2777, CVE-2026-2778, CVE-2026-2793

 

Firefox version: 148
Firefox ESR version: 115.33
Firefox ESR version: 140.8
Thunderbird version: 148
Thunderbird version: 140.8

 

CVE-2026-2762, CVE-2026-2765, CVE-2026-2766, CVE-2026-2767, CVE-2026-2768, CVE-2026-2792

 

Firefox version: 148
Firefox ESR version: 140.8
Thunderbird version: 148
Thunderbird version: 140.8

 

CVE-2026-2794

 

Firefox version: 148

 

CVE-2026-2795, CVE-2026-2796, CVE-2026-2797, CVE-2026-2799, CVE-2026-2807

 

Firefox Version: 148
Thunderbird version: 148

 

 

References

 

[1] Mozilla Foundation Security Advisory 2026-12
https://www.mozilla.org/en-US/security/advisories/mfsa2026-12/
[2] Mozilla Foundation Security Advisory 2026-13
https://www.mozilla.org/en-US/security/advisories/mfsa2026-13/
[3] Mozilla Foundation Security Advisory 2026-14
https://www.mozilla.org/en-US/security/advisories/mfsa2026-14/
[4] Mozilla Foundation Security Advisory 2026-15
https://www.mozilla.org/en-US/security/advisories/mfsa2026-15/
[5] Mozilla Foundation Security Advisory 2026-16
https://www.mozilla.org/en-US/security/advisories/mfsa2026-16/
[6] Mozilla Foundation Security Advisory 2026-17
https://www.mozilla.org/en-US/security/advisories/mfsa2026-17/

Tags:
Previous Post

Next Post