CVE-2026-2447

NameCVE-2026-2447
DescriptionHeap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird < 140.7.2, and Thunderbird < 147.0.2.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
firefox (PTS)sid147.0.3-1vulnerable
firefox-esr (PTS)bullseye115.14.0esr-1~deb11u1vulnerable
bullseye (security)140.7.0esr-1~deb11u1vulnerable
bookworm128.14.0esr-1~deb12u1vulnerable
bookworm (security)140.7.0esr-1~deb12u1vulnerable
trixie140.4.0esr-1~deb13u1vulnerable
trixie (security)140.7.0esr-1~deb13u1vulnerable
forky, sid140.7.0esr-1vulnerable
libvpx (PTS)bullseye1.9.0-1+deb11u3vulnerable
bullseye (security)1.9.0-1+deb11u4vulnerable
bookworm, bookworm (security)1.12.0-1+deb12u4vulnerable
trixie1.15.0-2.1vulnerable
forky, sid1.16.0-2vulnerable
thunderbird (PTS)bullseye1:115.12.0-1~deb11u1vulnerable
bullseye (security)1:140.7.1esr-1~deb11u1vulnerable
bookworm1:140.6.0esr-1~deb12u1vulnerable
bookworm (security)1:140.7.1esr-1~deb12u1vulnerable
trixie1:140.6.0esr-1~deb13u1vulnerable
trixie (security)1:140.7.1esr-1~deb13u1vulnerable
forky, sid1:140.7.1esr-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
firefoxsource(unstable)(unfixed)
firefox-esrsource(unstable)(unfixed)
libvpxsource(unstable)(unfixed)
thunderbirdsource(unstable)(unfixed)

Notes

https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-11/
Search for package or bug name: Reporting problems