CVE-2026-2447

NameCVE-2026-2447
DescriptionHeap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird < 140.7.2, and Thunderbird < 147.0.2.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4489-1, DSA-6143-1
Debian Bugs1128283

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
firefox (PTS)sid147.0.4-1fixed
firefox-esr (PTS)bullseye115.14.0esr-1~deb11u1vulnerable
bullseye (security)140.7.0esr-1~deb11u1vulnerable
bookworm128.14.0esr-1~deb12u1vulnerable
bookworm (security)140.7.0esr-1~deb12u1vulnerable
trixie140.4.0esr-1~deb13u1vulnerable
trixie (security)140.7.0esr-1~deb13u1vulnerable
forky, sid140.7.0esr-1vulnerable
libvpx (PTS)bullseye1.9.0-1+deb11u3vulnerable
bullseye (security)1.9.0-1+deb11u5fixed
bookworm1.12.0-1+deb12u4vulnerable
bookworm (security)1.12.0-1+deb12u5fixed
trixie1.15.0-2.1vulnerable
trixie (security)1.15.0-2.1+deb13u1fixed
forky, sid1.16.0-3fixed
thunderbird (PTS)bullseye1:115.12.0-1~deb11u1vulnerable
bullseye (security)1:140.7.1esr-1~deb11u1vulnerable
bookworm1:140.6.0esr-1~deb12u1vulnerable
bookworm (security)1:140.7.1esr-1~deb12u1vulnerable
trixie1:140.6.0esr-1~deb13u1vulnerable
trixie (security)1:140.7.1esr-1~deb13u1vulnerable
forky, sid1:140.7.1esr-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
firefoxsource(unstable)147.0.4-1unimportant
firefox-esrsource(unstable)(unfixed)unimportant
libvpxsourcebullseye1.9.0-1+deb11u5DLA-4489-1
libvpxsourcebookworm1.12.0-1+deb12u5DSA-6143-1
libvpxsourcetrixie1.15.0-2.1+deb13u1DSA-6143-1
libvpxsource(unstable)1.16.0-31128283
thunderbirdsource(unstable)(unfixed)unimportant

Notes

https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-11/
Firefox, Firefox ESR and Thunderbird use the system libvpx library
Same issue as CVE-2026-1861/chromium
https://issues.oss-fuzz.com/issues/476466137
https://chromium.googlesource.com/webm/libvpx/+/d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1
Search for package or bug name: Reporting problems