Red Hat Product Errata RHSA-2026:13665 - Security Advisory Issued: 2026-05-05 Updated: 2026-05-05 RHSA-2026:13665 - Security Advisory Overview Updated Packages Synopsis Important: firefox security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for firefox is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fix(es): libpng: libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416) libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636) thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5734) thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5731) firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component (CVE-2026-5732) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 Fixes BZ - 2451805 - CVE-2026-33416 libpng: libpng: Arbitrary code execution due to use-after-free vulnerability BZ - 2451819 - CVE-2026-33636 libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion BZ - 2455897 - CVE-2026-5734 thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 BZ - 2455901 - CVE-2026-5731 thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 BZ - 2455908 - CVE-2026-5732 firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component CVEs CVE-2026-5731 CVE-2026-5732 CVE-2026-5734 CVE-2026-33416 CVE-2026-33636 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 SRPM firefox-140.9.1-1.el10_0.src.rpm SHA-256: 0c34ce1ff4b92c467388c248d375c2c7b2eadb410b6b6f034d97792553893a59 x86_64 firefox-140.9.1-1.el10_0.x86_64.rpm SHA-256: 44df088f3adcc73282eea15f8e464840cb0890280feb1ee13acde72b46b48843 firefox-debuginfo-140.9.1-1.el10_0.x86_64.rpm SHA-256: 56c7e904caf18df14b1a8e89015600e9386a7967cb55e67304ccdd193ca0b297 firefox-debugsource-140.9.1-1.el10_0.x86_64.rpm SHA-256: 1a42c965e4035ffa6e02a67b8254e7d88bf1cabac5d357d3425cc93222e49d3e Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 SRPM firefox-140.9.1-1.el10_0.src.rpm SHA-256: 0c34ce1ff4b92c467388c248d375c2c7b2eadb410b6b6f034d97792553893a59 s390x firefox-140.9.1-1.el10_0.s390x.rpm SHA-256: f3aa50655afa180464bb9b23d31a6460a75b2e3e349fc524e36b1c727abed041 firefox-debuginfo-140.9.1-1.el10_0.s390x.rpm SHA-256: ae17f6a78ec004697bef08d0e9bd5d7b515d852e9d2d5b1bb74ee28939c859e0 firefox-debugsource-140.9.1-1.el10_0.s390x.rpm SHA-256: d646b15353120589c15bdda0d11b8993f6f619607e5d44896a82b6dd92d6574d Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 SRPM firefox-140.9.1-1.el10_0.src.rpm SHA-256: 0c34ce1ff4b92c467388c248d375c2c7b2eadb410b6b6f034d97792553893a59 ppc64le firefox-140.9.1-1.el10_0.ppc64le.rpm SHA-256: 86749f861a809b37a3a5818c87c52a0b466ae8e59a2b88d04dac932cf636c49b firefox-debuginfo-140.9.1-1.el10_0.ppc64le.rpm SHA-256: 012ae0f4eb2471cd3afe65d2b141031976fb4ecb5ff08cca0a8727e4bee3f7cc firefox-debugsource-140.9.1-1.el10_0.ppc64le.rpm SHA-256: b897aa4a80127ba6c605f304296f649979683e2ef0916fb5b3efbd9d8cb24195 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 SRPM firefox-140.9.1-1.el10_0.src.rpm SHA-256: 0c34ce1ff4b92c467388c248d375c2c7b2eadb410b6b6f034d97792553893a59 aarch64 firefox-140.9.1-1.el10_0.aarch64.rpm SHA-256: 40e8bf3078dab01bedf7fdbcc44722a057f31af62915a31cd7eb183b70273620 firefox-debuginfo-140.9.1-1.el10_0.aarch64.rpm SHA-256: 8448fd8f74bc80eba31c205b12b426a997b8267891f9559779d20db6bb3fbbca firefox-debugsource-140.9.1-1.el10_0.aarch64.rpm SHA-256: e9d603deeda6e481a89e57679fe83b10f106f892ce6c4798b23a28d621457a71 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 SRPM firefox-140.9.1-1.el10_0.src.rpm SHA-256: 0c34ce1ff4b92c467388c248d375c2c7b2eadb410b6b6f034d97792553893a59 aarch64 firefox-140.9.1-1.el10_0.aarch64.rpm SHA-256: 40e8bf3078dab01bedf7fdbcc44722a057f31af62915a31cd7eb183b70273620 firefox-debuginfo-140.9.1-1.el10_0.aarch64.rpm SHA-256: 8448fd8f74bc80eba31c205b12b426a997b8267891f9559779d20db6bb3fbbca firefox-debugsource-140.9.1-1.el10_0.aarch64.rpm SHA-256: e9d603deeda6e481a89e57679fe83b10f106f892ce6c4798b23a28d621457a71 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 SRPM firefox-140.9.1-1.el10_0.src.rpm SHA-256: 0c34ce1ff4b92c467388c248d375c2c7b2eadb410b6b6f034d97792553893a59 s390x firefox-140.9.1-1.el10_0.s390x.rpm SHA-256: f3aa50655afa180464bb9b23d31a6460a75b2e3e349fc524e36b1c727abed041 firefox-debuginfo-140.9.1-1.el10_0.s390x.rpm SHA-256: ae17f6a78ec004697bef08d0e9bd5d7b515d852e9d2d5b1bb74ee28939c859e0 firefox-debugsource-140.9.1-1.el10_0.s390x.rpm SHA-256: d646b15353120589c15bdda0d11b8993f6f619607e5d44896a82b6dd92d6574d Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 SRPM firefox-140.9.1-1.el10_0.src.rpm SHA-256: 0c34ce1ff4b92c467388c248d375c2c7b2eadb410b6b6f034d97792553893a59 ppc64le firefox-140.9.1-1.el10_0.ppc64le.rpm SHA-256: 86749f861a809b37a3a5818c87c52a0b466ae8e59a2b88d04dac932cf636c49b firefox-debuginfo-140.9.1-1.el10_0.ppc64le.rpm SHA-256: 012ae0f4eb2471cd3afe65d2b141031976fb4ecb5ff08cca0a8727e4bee3f7cc firefox-debugsource-140.9.1-1.el10_0.ppc64le.rpm SHA-256: b897aa4a80127ba6c605f304296f649979683e2ef0916fb5b3efbd9d8cb24195 Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 SRPM firefox-140.9.1-1.el10_0.src.rpm SHA-256: 0c34ce1ff4b92c467388c248d375c2c7b2eadb410b6b6f034d97792553893a59 x86_64 firefox-140.9.1-1.el10_0.x86_64.rpm SHA-256: 44df088f3adcc73282eea15f8e464840cb0890280feb1ee13acde72b46b48843 firefox-debuginfo-140.9.1-1.el10_0.x86_64.rpm SHA-256: 56c7e904caf18df14b1a8e89015600e9386a7967cb55e67304ccdd193ca0b297 firefox-debugsource-140.9.1-1.el10_0.x86_64.rpm SHA-256: 1a42c965e4035ffa6e02a67b8254e7d88bf1cabac5d357d3425cc93222e49d3e The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .