PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2447 Mozilla CVE debrief

CVE-2026-2447 is a high-severity vulnerability in libvpx, a library used in Mozilla products. The vulnerability is a heap buffer overflow, which can be exploited by attackers to execute arbitrary code. It was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2. Users of these products should update to the latest versions to mitigate the vulnerability. The CVE was published on February 16, 2026, and last modified on June 30, 2026.

Vendor
Mozilla
Product
Firefox
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-16
Original CVE updated
2026-06-30
Advisory published
2026-02-16
Advisory updated
2026-06-30

Who should care

Users of Mozilla Firefox, Firefox ESR, and Thunderbird should be aware of this vulnerability and update their products to the latest versions. Additionally, developers who use libvpx in their applications should ensure that they are using a patched version of the library. Organizations that use Mozilla products should prioritize patching this vulnerability to prevent potential attacks.

Technical summary

The vulnerability is a heap buffer overflow in libvpx, which can be exploited by attackers to execute arbitrary code. The vulnerability was introduced in an unspecified version of libvpx and was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2. The CVE has a CVSS score of 8.8 and a CVSS severity of HIGH. The vulnerability can be exploited remotely, and user interaction is required.

Defensive priority

High

Recommended defensive actions

  • Update Firefox to version 147.0.4 or later
  • Update Firefox ESR to version 140.7.1 or later
  • Update Firefox ESR to version 115.32.1 or later
  • Update Thunderbird to version 140.7.2 or later
  • Update Thunderbird to version 147.0.2 or later

Evidence notes

The CVE was published on February 16, 2026, and last modified on June 30, 2026. The vulnerability was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2. The CVE has a CVSS score of 8.8 and a CVSS severity of HIGH.

Official resources

This article is AI-assisted and based on the supplied source corpus.