RLSA-2026:5930

See a problem?
Please try reporting it to the source first.
Source
https://errata.rockylinux.org/RLSA-2026:5930
Import Source
https://storage.googleapis.com/resf-osv-data/RLSA-2026:5930.json
JSON Data
https://api.osv.dev/v1/vulns/RLSA-2026:5930
Upstream
  • CVE-2026-4684
  • CVE-2026-4685
  • CVE-2026-4686
  • CVE-2026-4687
  • CVE-2026-4688
  • CVE-2026-4689
  • CVE-2026-4690
  • CVE-2026-4691
  • CVE-2026-4692
  • CVE-2026-4693
  • CVE-2026-4694
  • CVE-2026-4695
  • CVE-2026-4696
  • CVE-2026-4697
  • CVE-2026-4698
  • CVE-2026-4699
  • CVE-2026-4700
  • CVE-2026-4701
  • CVE-2026-4702
  • CVE-2026-4704
  • CVE-2026-4705
  • CVE-2026-4706
  • CVE-2026-4707
  • CVE-2026-4708
  • CVE-2026-4709
  • CVE-2026-4710
  • CVE-2026-4711
  • CVE-2026-4712
  • CVE-2026-4713
  • CVE-2026-4714
  • CVE-2026-4715
  • CVE-2026-4716
  • CVE-2026-4717
  • CVE-2026-4718
  • CVE-2026-4719
  • CVE-2026-4720
  • CVE-2026-4721
Published
2026-04-07T12:03:55.701474Z
Modified
2026-04-07T12:30:25.029480Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Important: firefox security update
Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

  • firefox: thunderbird: Use-after-free in the JavaScript Engine component (CVE-2026-4701)

  • firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 (CVE-2026-4721)

  • firefox: thunderbird: Privilege escalation in the Netmonitor component (CVE-2026-4717)

  • firefox: thunderbird: Sandbox escape due to use-after-free in the Disability Access APIs component (CVE-2026-4688)

  • firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4706)

  • firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: Web Codecs component (CVE-2026-4695)

  • firefox: thunderbird: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component (CVE-2026-4689)

  • firefox: thunderbird: JIT miscompilation in the JavaScript Engine: JIT component (CVE-2026-4698)

  • firefox: thunderbird: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component (CVE-2026-4716)

  • firefox: thunderbird: Race condition, use-after-free in the Graphics: WebRender component (CVE-2026-4684)

  • firefox: thunderbird: Undefined behavior in the WebRTC: Signaling component (CVE-2026-4705)

  • firefox: thunderbird: Uninitialized memory in the Graphics: Canvas2D component (CVE-2026-4715)

  • firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4685)

  • firefox: thunderbird: Incorrect boundary conditions in the Audio/Video component (CVE-2026-4714)

  • firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: GMP component (CVE-2026-4709)

  • firefox: thunderbird: Incorrect boundary conditions in the Audio/Video component (CVE-2026-4710)

  • firefox: thunderbird: Information disclosure in the Widget: Cocoa component (CVE-2026-4712)

  • firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: Web Codecs component (CVE-2026-4697)

  • firefox: thunderbird: Incorrect boundary conditions in the Graphics component (CVE-2026-4713)

  • firefox: thunderbird: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component (CVE-2026-4690)

  • firefox: thunderbird: Use-after-free in the Widget: Cocoa component (CVE-2026-4711)

  • firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4686)

  • firefox: thunderbird: Incorrect boundary conditions in the Graphics component (CVE-2026-4708)

  • firefox: thunderbird: Use-after-free in the CSS Parsing and Computation component (CVE-2026-4691)

  • firefox: thunderbird: Incorrect boundary conditions in the Layout: Text and Fonts component (CVE-2026-4699)

  • firefox: thunderbird: Use-after-free in the Layout: Text and Fonts component (CVE-2026-4696)

  • firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: Playback component (CVE-2026-4693)

  • firefox: thunderbird: Undefined behavior in the WebRTC: Signaling component (CVE-2026-4718)

  • firefox: thunderbird: JIT miscompilation in the JavaScript Engine component (CVE-2026-4702)

  • firefox: thunderbird: Incorrect boundary conditions in the Graphics: Text component (CVE-2026-4719)

  • firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics component (CVE-2026-4694)

  • firefox: thunderbird: Sandbox escape in the Responsive Design Mode component (CVE-2026-4692)

  • firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 (CVE-2026-4720)

  • firefox: thunderbird: Mitigation bypass in the Networking: HTTP component (CVE-2026-4700)

  • firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4707)

  • firefox: thunderbird: Denial-of-service in the WebRTC: Signaling component (CVE-2026-4704)

  • firefox: thunderbird: Sandbox escape due to incorrect boundary conditions in the Telemetry component (CVE-2026-4687)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References
Credits
    • Rocky Enterprise Software Foundation
    • Red Hat

Affected packages

Rocky Linux:9 / firefox

Package

Name
firefox
Purl
pkg:rpm/rocky-linux/firefox?distro=rocky-linux-9&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:140.9.0-1.el9_7
Database specific 
{
    "yum_repository": "AppStream"
}

Database specific

source 
"https://storage.googleapis.com/resf-osv-data/RLSA-2026:5930.json"