This security update addresses multiple vulnerabilities in Firefox and Thunderbird, including high-severity use-after-free and boundary condition flaws (e.g., CVE-2026-6754, CVSS 7.5) that can lead to remote code execution or privilege escalation. Affected versions include Firefox prior to 115.35.0, prior to 150.0, and versions 140.0 through 140.10.0, as well as Thunderbird prior to 140.10.0. The fix requires updating to Firefox ESR 115.35.0, Firefox ESR 140.10.0, Firefox 150.0, or Thunderbird ESR 140.10.0, as applicable.
Red Hat Product Errata RHSA-2026:10767 - Security Advisory Issued: 2026-04-27 Updated: 2026-04-27 RHSA-2026:10767 - Security Advisory Overview Updated Packages Synopsis Important: firefox security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for firefox is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fix(es): firefox: thunderbird: Incorrect boundary conditions in the Libraries component in NSS (CVE-2026-6772) firefox: thunderbird: Use-after-free in the JavaScript Engine component (CVE-2026-6754) firefox: thunderbird: Spoofing issue in the DOM: Core & HTML component (CVE-2026-6762) firefox: thunderbird: Incorrect boundary conditions in the WebRTC component (CVE-2026-6752) firefox: thunderbird: Other issue in the Storage: IndexedDB component (CVE-2026-6770) firefox: thunderbird: Invalid pointer in the JavaScript: WebAssembly component (CVE-2026-6757) firefox: thunderbird: Other issue in the Libraries component in NSS (CVE-2026-6767) firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 (CVE-2026-6786) firefox: thunderbird: Incorrect boundary conditions in the WebRTC component (CVE-2026-6753) firefox: thunderbird: Use-after-free in the Widget: Cocoa component (CVE-2026-6759) firefox: thunderbird: Use-after-free in the WebRTC component (CVE-2026-6747) firefox: thunderbird: Information disclosure due to uninitialized memory in the Graphics: Canvas2D component (CVE-2026-6749) firefox: thunderbird: Incorrect boundary conditions in the Libraries component in NSS (CVE-2026-6766) firefox: thunderbird: Privilege escalation in the Networking component (CVE-2026-6761) firefox: thunderbird: Mitigation bypass in the File Handling component (CVE-2026-6763) firefox: thunderbird: Privilege escalation in the Graphics: WebRender component (CVE-2026-6750) firefox: thunderbird: Uninitialized memory in the Audio/Video: Web Codecs component (CVE-2026-6748) firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 (CVE-2026-6785) firefox: thunderbird: Mitigation bypass in the DOM: Security component (CVE-2026-6771) firefox: thunderbird: Incorrect boundary conditions in the DOM: Device Interfaces component (CVE-2026-6764) firefox: thunderbird: Information disclosure in the Form Autofill component (CVE-2026-6765) firefox: thunderbird: Privilege escalation in the Debugger component (CVE-2026-6769) firefox: thunderbird: Uninitialized memory in the Audio/Video: Web Codecs component (CVE-2026-6751) firefox: thunderbird: Incorrect boundary conditions in the WebRTC: Networking component (CVE-2026-6776) firefox: thunderbird: Use-after-free in the DOM: Core & HTML component (CVE-2026-6746) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for ARM 64 10 aarch64 Fixes BZ - 2460074 - CVE-2026-6772 firefox: thunderbird: Incorrect boundary conditions in the Libraries component in NSS BZ - 2460075 - CVE-2026-6754 firefox: thunderbird: Use-after-free in the JavaScript Engine component BZ - 2460076 - CVE-2026-6762 firefox: thunderbird: Spoofing issue in the DOM: Core & HTML component BZ - 2460078 - CVE-2026-6752 firefox: thunderbird: Incorrect boundary conditions in the WebRTC component BZ - 2460079 - CVE-2026-6770 firefox: thunderbird: Other issue in the Storage: IndexedDB component BZ - 2460085 - CVE-2026-6757 firefox: thunderbird: Invalid pointer in the JavaScript: WebAssembly component BZ - 2460086 - CVE-2026-6767 firefox: thunderbird: Other issue in the Libraries component in NSS BZ - 2460088 - CVE-2026-6786 firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 BZ - 2460092 - CVE-2026-6753 firefox: thunderbird: Incorrect boundary conditions in the WebRTC component BZ - 2460094 - CVE-2026-6759 firefox: thunderbird: Use-after-free in the Widget: Cocoa component BZ - 2460095 - CVE-2026-6747 firefox: thunderbird: Use-after-free in the WebRTC component BZ - 2460096 - CVE-2026-6749 firefox: thunderbird: Information disclosure due to uninitialized memory in the Graphics: Canvas2D component BZ - 2460097 - CVE-2026-6766 firefox: thunderbird: Incorrect boundary conditions in the Libraries component in NSS BZ - 2460099 - CVE-2026-6761 firefox: thunderbird: Privilege escalation in the Networking component BZ - 2460101 - CVE-2026-6763 firefox: thunderbird: Mitigation bypass in the File Handling component BZ - 2460102 - CVE-2026-6750 firefox: thunderbird: Privilege escalation in the Graphics: WebRender component BZ - 2460103 - CVE-2026-6748 firefox: thunderbird: Uninitialized memory in the Audio/Video: Web Codecs component BZ - 2460104 - CVE-2026-6785 firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150 BZ - 2460105 - CVE-2026-6771 firefox: thunderbird: Mitigation bypass in the DOM: Security component BZ - 2460106 - CVE-2026-6764 firefox: thunderbird: Incorrect boundary conditions in the DOM: Device Interfaces component BZ - 2460107 - CVE-2026-6765 firefox: thunderbird: Information disclosure in the Form Autofill component BZ - 2460108 - CVE-2026-6769 firefox: thunderbird: Privilege escalation in the Debugger component BZ - 2460109 - CVE-2026-6751 firefox: thunderbird: Uninitialized memory in the Audio/Video: Web Codecs component BZ - 2460110 - CVE-2026-6776 firefox: thunderbird: Incorrect boundary conditions in the WebRTC: Networking component BZ - 2460112 - CVE-2026-6746 firefox: thunderbird: Use-after-free in the DOM: Core & HTML component CVEs CVE-2026-6746 CVE-2026-6747 CVE-2026-6748 CVE-2026-6749 CVE-2026-6750 CVE-2026-6751 CVE-2026-6752 CVE-2026-6753 CVE-2026-6754 CVE-2026-6757 CVE-2026-6759 CVE-2026-6761 CVE-2026-6762 CVE-2026-6763 CVE-2026-6764 CVE-2026-6765 CVE-2026-6766 CVE-2026-6767 CVE-2026-6769 CVE-2026-6770 CVE-2026-6771 CVE-2026-6772 CVE-2026-6776 CVE-2026-6785 CVE-2026-6786 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM firefox-140.10.0-1.el10_1.src.rpm SHA-256: 9f940ad54ead0c073fc9de87a6ea51b6ffe0278a6f2c74900f447c4fe892130c x86_64 firefox-140.10.0-1.el10_1.x86_64.rpm SHA-256: 3f984ecc9a9b8906ef777f3873a3b2ee31a03e224b4980cae0a0008081fe998c firefox-debuginfo-140.10.0-1.el10_1.x86_64.rpm SHA-256: d765d56c4045acb896be20cd8a94cd335735634b32369cd266902adec79f87a0 firefox-debugsource-140.10.0-1.el10_1.x86_64.rpm SHA-256: bf31bbe748b833a666704de2a642641a0f45c0ad5af09f9506941895c4053272 Red Hat Enterprise Linux for IBM z Systems 10 SRPM firefox-140.10.0-1.el10_1.src.rpm SHA-256: 9f940ad54ead0c073fc9de87a6ea51b6ffe0278a6f2c74900f447c4fe892130c s390x firefox-140.10.0-1.el10_1.s390x.rpm SHA-256: a4838214aef4236b38385fd7ea24f37bbb99751403821827ee08c5bf27e38518 firefox-debuginfo-140.10.0-1.el10_1.s390x.rpm SHA-256: adec4584d2fc54f2cc6b3afd8cfac48f4168e3058417df219222d94ce4e0fc3c firefox-debugsource-140.10.0-1.el10_1.s390x.rpm SHA-256: 1fa4038e83692295473f17410aad8eaa03e6cdeea650236dd28a7247c5151a4d Red Hat Enterprise Linux for Power, little endian 10 SRPM firefox-140.10.0-1.el10_1.src.rpm SHA-256: 9f940ad54ead0c073fc9de87a6ea51b6ffe0278a6f2c74900f447c4fe892130c ppc64le firefox-140.10.0-1.el10_1.ppc64le.rpm SHA-256: 3cb8ce3c57914c79d4f1d0a6c618d5cc879259e7407fe412812ed0d5f11bfa71 firefox-debuginfo-140.10.0-1.el10_1.ppc64le.rpm SHA-256: 11a6e9538e6259b70371f759c38d60518faea62476b8b06d326b196476bbb4e6 firefox-debugsource-140.10.0-1.el10_1.ppc64le.rpm SHA-256: 1a9d6a88d7515812af1bf173d48a79209eb46dc6ec625b747c4db69d6ee75aae Red Hat Enterprise Linux for ARM 64 10 SRPM firefox-140.10.0-1.el10_1.src.rpm SHA-256: 9f940ad54ead0c073fc9de87a6ea51b6ffe0278a6f2c74900f447c4fe892130c aarch64 firefox-140.10.0-1.el10_1.aarch64.rpm SHA-256: cf4c720269e4c9887492840b06b212a9339efe3fdaafe77955570894630eb0b7 firefox-debuginfo-140.10.0-1.el10_1.aarch64.rpm SHA-256: a644a3769f2fa301263e0f5de71a0d36fac3572620adf65427697e6d1db9fccd firefox-debugsource-140.10.0-1.el10_1.aarch64.rpm SHA-256: c257083a5047c889ab619e4fae8ce4587c42f18ca550b95961e9b74f593588b7 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .