Firefox 147 Released With Fixes for 16 Vulnerabilities that Enable
Firefox 147 includes fixes for critical vulnerabilities, notably CVE-2026-0881, which targets the Messaging System, and a use-after-free flaw in IPC, identified as CVE-2026-0882. These high-impact...
Firefox 147 includes fixes for critical vulnerabilities, notably CVE-2026-0881, which targets the Messaging System, and a use-after-free flaw in IPC, identified as CVE-2026-0882. These high-impact issues, now resolved in version 147, could have enabled attackers to execute code outside sandboxed contexts.
| CVE ID | Description/Component | Impact | Reporter(s) |
|---|---|---|---|
| CVE-2026-0877 | Mitigation bypass in the DOM: Security component | High | mingijung |
| CVE-2026-0878 | Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component | High | Oskar L |
| CVE-2026-0879 | Sandbox escape due to incorrect boundary conditions in the Graphics component | High | Oskar L |
| CVE-2026-0880 | Sandbox escape due to integer overflow in the Graphics component | High | Oskar L |
| CVE-2026-0881 | Sandbox escape in the Messaging System component | High | Andrew McCreight |
| CVE-2026-0882 | Use-after-free in the IPC component | High | Randell Jesup |
| CVE-2026-0883 | Information disclosure in the Networking component | Moderate | Vladislav Plyatsok |
| CVE-2026-0884 | Use-after-free in the JavaScript Engine component | Moderate | Gary Kwong and Nan Wang |
| CVE-2026-0885 | Use-after-free in the JavaScript: GC component | Moderate | Irvan Kurniawan |
| CVE-2026-0886 | Incorrect boundary conditions in the Graphics component | Moderate | Oskar L |
| CVE-2026-0887 | Clickjacking issue, information disclosure in the PDF Viewer component | Moderate | Lyra Rebane |
| CVE-2026-0888 | Information disclosure in the XML component | Low | Pier Angelo Vendrame |
| CVE-2026-0889 | Denial-of-service in the DOM: Service Workers component | Low | Elysee Franchuk, Caleb Lerch |
| CVE-2026-0890 | Spoofing issue in the DOM: Copy & Paste and Drag & Drop component | Low | Edgar Chen |
| CVE-2026-0891 | Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 | High | Andrew McCreight, Dennis Jackson and the Mozilla Fuzzing Team |
Mozilla’s fuzzing team identified memory safety bugs fixed in CVE-2026-0891 (affecting ESR 140.6, Firefox 146, Thunderbird 146) and CVE-2026-0892 (Firefox/Thunderbird 146). Bugs like 1964722 and 2004443 exhibited corruption patterns ripe for exploitation.
Organizations should prioritize updates via Firefox’s auto-updater or admin consoles.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.