Mozilla Product Security Update Advisory

Overview.

Mozilla has released updates to address a number of security vulnerabilities found in its Firefox and Thunderbird (including ESR) suites.

CVE-2026-5731: Categorized as a memory safety issue.
CVE-2026-5732: Categorized as a boundary condition error and integer overflow issue.
CVE-2026-5733: Categorized as a boundary condition error in WebGPU processing.
CVE-2026-5734: Categorized as a memory safety issue.
CVE-2026-5735: Categorized as a memory safety issue.
such vulnerabilities can be exploited for remote code execution, denial of service, or information leakage via memory corruption or boundary errors.

CVE-2026-5731: Firefox before 149.0.2, Firefox ESR before 115.34.1, Firefox ESR before 140.9.1, Thunderbird before 149.0.2, Thunderbird ESR before 140.9.1. Patch versions are Firefox 149.0.2, Firefox ESR 115.34.1 and 140.9.1, Thunderbird 149.0.2, Thunderbird ESR 140.9.1.
CVE-2026-5732: Firefox before 149.0.2, Firefox ESR before 140.9.1, Thunderbird before 149.0.2, Thunderbird ESR before 140.9.1. Patch versions are Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, Thunderbird ESR 140.9.1.
CVE-2026-5733: Firefox 149.0.2 and earlier, Thunderbird 149.0.2 and earlier. Patched versions are Firefox 149.0.2 and Thunderbird 149.0.2.
CVE-2026-5734: Firefox before 149.0.2, Firefox ESR before 140.9.1, Thunderbird before 149.0.2, and Thunderbird ESR before 140.9.1. Patch versions are Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird ESR 140.9.1.
CVE-2026-5735: Firefox 149.0.2 and earlier, Thunderbird 149.0.2 and earlier. Patch versions are Firefox 149.0.2 and Thunderbird 149.0.2.

affected products should be updated to the patch threshold version specified for each CVE or later.
the security patches are disclosed in Mozilla Security Advisories (MFSA 2026-25 through 29).
details and additional guidance can be found at the references below.

references.