PatchSiren cyber security CVE debrief
CVE-2026-2447 Mozilla CVE debrief
CVE-2026-2447 is a high-severity vulnerability in libvpx, a library used in Mozilla products. The vulnerability is a heap buffer overflow, which can be exploited by attackers to execute arbitrary code. It was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2. Users of these products should update to the latest versions to mitigate the vulnerability. The CVE was published on February 16, 2026, and last modified on June 30, 2026.
- Vendor
- Mozilla
- Product
- Firefox
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-16
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-16
- Advisory updated
- 2026-06-30
Who should care
Users of Mozilla Firefox, Firefox ESR, and Thunderbird should be aware of this vulnerability and update their products to the latest versions. Additionally, developers who use libvpx in their applications should ensure that they are using a patched version of the library. Organizations that use Mozilla products should prioritize patching this vulnerability to prevent potential attacks.
Technical summary
The vulnerability is a heap buffer overflow in libvpx, which can be exploited by attackers to execute arbitrary code. The vulnerability was introduced in an unspecified version of libvpx and was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2. The CVE has a CVSS score of 8.8 and a CVSS severity of HIGH. The vulnerability can be exploited remotely, and user interaction is required.
Defensive priority
High
Recommended defensive actions
- Update Firefox to version 147.0.4 or later
- Update Firefox ESR to version 140.7.1 or later
- Update Firefox ESR to version 115.32.1 or later
- Update Thunderbird to version 140.7.2 or later
- Update Thunderbird to version 147.0.2 or later
Evidence notes
The CVE was published on February 16, 2026, and last modified on June 30, 2026. The vulnerability was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2. The CVE has a CVSS score of 8.8 and a CVSS severity of HIGH.
Official resources
-
CVE-2026-2447 CVE record
CVE.org
-
CVE-2026-2447 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Issue Tracking, Permissions Required
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.