Mozilla Product Security Update Advisory

overview

We have released security updates that address vulnerabilities in Mozilla products. users of affected products are encouraged to update to the latest version.

affected products

CVE-2026-4371

Thunderbird versions: 149 and earlier
Thunderbird version: 140.9 or earlier

Cve-2026-4689, cve-2026-4692, cve-2026-4694, cve-2026-4709, cve-2026-4721

Firefox version: 149 and below
Firefox ESR Version: 115.34 and below
Firefox ESR version: 140.9 or lower
Thunderbird version: 149 or lower
Thunderbird version: less than 140.9

CVE-2026-4720

Firefox version: below 149
Firefox ESR version: below 140.9
Thunderbird version: less than 149
Thunderbird version: below 140.9

CVE-2026-4729

Firefox version: below 149
Thunderbird version: less than 149

resolved Vulnerabilities

Out-of-bounds read vulnerability in IMAP parsing (CVE-2026-4371)
Sandbox escape vulnerability due to incorrect boundary conditions and miscalculation overflow in the XPCOM component (CVE-2026-4689)
Sandbox escape vulnerability in the Responsive Design Mode component (CVE-2026-4692)
Incorrect boundary condition vulnerability in the Graphics component (CVE-2026-4694)
Audio/Video: Invalid Boundary Condition Vulnerability in GMP Components (CVE-2026-4709)
Memory safety related bug (CVE-2026-4720) fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149, and Thunderbird 149
Memory safety-related bug (CVE-2026-4721) fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149, and Thunderbird 149
Memory safety related bug (CVE-2026-4729) fixed in Firefox 149 and Thunderbird 149

vulnerability patches

Vulnerability patches have been made available in the latest updates. please follow the instructions on the reference site to update to the latest version of the vulnerability patch.

CVE-2026-4371

Thunderbird version: 149
Thunderbird version: 140.9

Cve-2026-4689, cve-2026-4692, cve-2026-4694, cve-2026-4709, cve-2026-4721

Firefox Version: 149
Firefox ESR Version: 115.34
Firefox ESR Version: 140.9
Thunderbird Version: 149
Thunderbird version: 140.9

CVE-2026-4720

Firefox Version: 149
Firefox ESR Version: 140.9
Thunderbird Version: 149
Thunderbird version: 140.9

CVE-2026-4729

Firefox version: 149
Thunderbird version: 149

references

[1] Mozilla Foundation Security Advisory 2026-20
https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/
[2] Mozilla Foundation Security Advisory 2026-21
https://www.mozilla.org/en-US/security/advisories/mfsa2026-21/
[3] Mozilla Foundation Security Advisory 2026-22
https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/
[4] Mozilla Foundation Security Advisory 2026-23
https://www.mozilla.org/en-US/security/advisories/mfsa2026-23/
[5] Mozilla Foundation Security Advisory 2026-24
https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/