Mozilla Releases Security Updates for Firefox and Thunderbird
Take action: If you're using Mozilla Firefox or Thunderbird enable automatic updates for your browsers and mail clients and force an update. Even if the flaw is not critical, it's still better to update the browser and email client - they are your windows into the internet. Since this vulnerability can be triggered just by visiting a website or playing a video, patching is your best defense.
Learn More
Mozilla released security patches for Firefox and Thunderbird to address a high-severity vulnerability within the libvpx video codec library.
The flaw impacts how these applications process VP8 and VP9 video formats, which are widely used for multimedia content across platforms.
The vulnerability is tracked as CVE-2026-2447 (CVSS score 8.8) - A heap buffer overflow in the libvpx video codec library that occurs during the decoding of VP8 and VP9 video streams. By providing malformed or oversized video data, an attacker forces the library to write data past the end of its allocated memory buffer in the heap. This memory corruption allows the attacker to overwrite adjacent memory regions, leading to arbitrary code execution or application crashes. Effectively bypassing memory safety boundaries, allowing remote hackers to gain control of the browser process without any user interaction beyond viewing a malicious video.
Mozilla released fixes MFSA 2026-10 for Firefox and MFSA 2026-11 for Thunderbird. Mozilla patched the flaws in Firefox 147.0.4, Firefox ESR 115.32.1, Firefox ESR 140.7.1, Thunderbird 140.7.2 and Thunderbird 147.0.2.
The risk is lower in standard email contexts where scripting is disabled, but in any browser-like context within the mail client, such as when viewing web-based content or using integrated browser features can be exploited in Thunderbird.
Users should update their software immediately by navigating to the Help > About menu in Firefox or Thunderbird to trigger the automatic update process.
