Red Hat Product Errata RHSA-2026:13582 - Security Advisory Issued: 2026-05-05 Updated: 2026-05-05 RHSA-2026:13582 - Security Advisory Overview Updated Packages Synopsis Important: firefox security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for firefox is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fix(es): libpng: libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416) libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636) thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5734) thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5731) firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component (CVE-2026-5732) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64 Red Hat Enterprise Linux Server - AUS 9.4 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.4 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.4 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.4 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.4 s390x Fixes BZ - 2451805 - CVE-2026-33416 libpng: libpng: Arbitrary code execution due to use-after-free vulnerability BZ - 2451819 - CVE-2026-33636 libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion BZ - 2455897 - CVE-2026-5734 thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 BZ - 2455901 - CVE-2026-5731 thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 BZ - 2455908 - CVE-2026-5732 firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component CVEs CVE-2026-5731 CVE-2026-5732 CVE-2026-5734 CVE-2026-33416 CVE-2026-33636 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 SRPM firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4 x86_64 firefox-140.9.1-1.el9_4.x86_64.rpm SHA-256: f206d54c8b911ea0797c92a8f5118f5edd78d1e0931dccc358a97bfed22e012c firefox-debuginfo-140.9.1-1.el9_4.x86_64.rpm SHA-256: 01a4d2bfe689c79d84213663b5d5c3c3c3163ad602d921fb6632811ca3bf1058 firefox-debugsource-140.9.1-1.el9_4.x86_64.rpm SHA-256: ada3c4d5be534681a14bb8a7af44007e0b03b7be0a0fd215d4d23103df149ea4 firefox-x11-140.9.1-1.el9_4.x86_64.rpm SHA-256: f268fb695ff3317f37f0cfad6e5aa4538366f48b81c161348f7e51afbf6623c4 Red Hat Enterprise Linux Server - AUS 9.4 SRPM firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4 x86_64 firefox-140.9.1-1.el9_4.x86_64.rpm SHA-256: f206d54c8b911ea0797c92a8f5118f5edd78d1e0931dccc358a97bfed22e012c firefox-debuginfo-140.9.1-1.el9_4.x86_64.rpm SHA-256: 01a4d2bfe689c79d84213663b5d5c3c3c3163ad602d921fb6632811ca3bf1058 firefox-debugsource-140.9.1-1.el9_4.x86_64.rpm SHA-256: ada3c4d5be534681a14bb8a7af44007e0b03b7be0a0fd215d4d23103df149ea4 firefox-x11-140.9.1-1.el9_4.x86_64.rpm SHA-256: f268fb695ff3317f37f0cfad6e5aa4538366f48b81c161348f7e51afbf6623c4 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 SRPM firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4 s390x firefox-140.9.1-1.el9_4.s390x.rpm SHA-256: ebc0bf7b448d9c8784bfabe099ddcdcb7e575a76701663894f590daea548a7e2 firefox-debuginfo-140.9.1-1.el9_4.s390x.rpm SHA-256: 4f434beceb8347fc8db60bfed71fee15dca3477df99b543a7ff34b2642ef68ec firefox-debugsource-140.9.1-1.el9_4.s390x.rpm SHA-256: 73936a58e7c6327508ea4becf4fb6c2586462bd46858a7f6f8a307679da8c43a firefox-x11-140.9.1-1.el9_4.s390x.rpm SHA-256: 08c419e136f50aa594a2480d6633f73d927ced7df627e323522c573b3a6e4133 Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 SRPM firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4 ppc64le firefox-140.9.1-1.el9_4.ppc64le.rpm SHA-256: ec15382c296b6073a6dbd876f7b8a0c764119813909281bbf6773b9a1770e0e2 firefox-debuginfo-140.9.1-1.el9_4.ppc64le.rpm SHA-256: cc9c2faf81ad9027472d5144a461126690cac010707a52900e6c3cc06b5b3c1d firefox-debugsource-140.9.1-1.el9_4.ppc64le.rpm SHA-256: d3c550f0798519f8cc122ea12a4854e9b6d6591bdeef7f7770931202a09f5489 firefox-x11-140.9.1-1.el9_4.ppc64le.rpm SHA-256: a327a52e8d978ba04913c79f4dfcd9c59571a15249bd51f62183d0d13436f7cd Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 SRPM firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4 aarch64 firefox-140.9.1-1.el9_4.aarch64.rpm SHA-256: 51a6b6c90a36831e0ff8d722b00ec15f346a0dd03f8ea94e0314ceb01c542504 firefox-debuginfo-140.9.1-1.el9_4.aarch64.rpm SHA-256: 0062c761fc096ac0775784ae630374e51b4ae0ee42fc1149a2c2306baf81d787 firefox-debugsource-140.9.1-1.el9_4.aarch64.rpm SHA-256: d48260a1f9ded4e75707fde43a03a940969e4149efbf73eb2f88381fd31b2962 firefox-x11-140.9.1-1.el9_4.aarch64.rpm SHA-256: ebc60c0929c2925177ec62c6d5cbdaef28eb4e31f71deee9f4cc121b22053c92 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 SRPM firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4 ppc64le firefox-140.9.1-1.el9_4.ppc64le.rpm SHA-256: ec15382c296b6073a6dbd876f7b8a0c764119813909281bbf6773b9a1770e0e2 firefox-debuginfo-140.9.1-1.el9_4.ppc64le.rpm SHA-256: cc9c2faf81ad9027472d5144a461126690cac010707a52900e6c3cc06b5b3c1d firefox-debugsource-140.9.1-1.el9_4.ppc64le.rpm SHA-256: d3c550f0798519f8cc122ea12a4854e9b6d6591bdeef7f7770931202a09f5489 firefox-x11-140.9.1-1.el9_4.ppc64le.rpm SHA-256: a327a52e8d978ba04913c79f4dfcd9c59571a15249bd51f62183d0d13436f7cd Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 SRPM firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4 x86_64 firefox-140.9.1-1.el9_4.x86_64.rpm SHA-256: f206d54c8b911ea0797c92a8f5118f5edd78d1e0931dccc358a97bfed22e012c firefox-debuginfo-140.9.1-1.el9_4.x86_64.rpm SHA-256: 01a4d2bfe689c79d84213663b5d5c3c3c3163ad602d921fb6632811ca3bf1058 firefox-debugsource-140.9.1-1.el9_4.x86_64.rpm SHA-256: ada3c4d5be534681a14bb8a7af44007e0b03b7be0a0fd215d4d23103df149ea4 firefox-x11-140.9.1-1.el9_4.x86_64.rpm SHA-256: f268fb695ff3317f37f0cfad6e5aa4538366f48b81c161348f7e51afbf6623c4 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 SRPM firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4 aarch64 firefox-140.9.1-1.el9_4.aarch64.rpm SHA-256: 51a6b6c90a36831e0ff8d722b00ec15f346a0dd03f8ea94e0314ceb01c542504 firefox-debuginfo-140.9.1-1.el9_4.aarch64.rpm SHA-256: 0062c761fc096ac0775784ae630374e51b4ae0ee42fc1149a2c2306baf81d787 firefox-debugsource-140.9.1-1.el9_4.aarch64.rpm SHA-256: d48260a1f9ded4e75707fde43a03a940969e4149efbf73eb2f88381fd31b2962 firefox-x11-140.9.1-1.el9_4.aarch64.rpm SHA-256: ebc60c0929c2925177ec62c6d5cbdaef28eb4e31f71deee9f4cc121b22053c92 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 SRPM firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4 s390x firefox-140.9.1-1.el9_4.s390x.rpm SHA-256: ebc0bf7b448d9c8784bfabe099ddcdcb7e575a76701663894f590daea548a7e2 firefox-debuginfo-140.9.1-1.el9_4.s390x.rpm SHA-256: 4f434beceb8347fc8db60bfed71fee15dca3477df99b543a7ff34b2642ef68ec firefox-debugsource-140.9.1-1.el9_4.s390x.rpm SHA-256: 73936a58e7c6327508ea4becf4fb6c2586462bd46858a7f6f8a307679da8c43a firefox-x11-140.9.1-1.el9_4.s390x.rpm SHA-256: 08c419e136f50aa594a2480d6633f73d927ced7df627e323522c573b3a6e4133 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.4 SRPM firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4 x86_64 firefox-140.9.1-1.el9_4.x86_64.rpm SHA-256: f206d54c8b911ea0797c92a8f5118f5edd78d1