This Important Red Hat security update addresses four high-severity vulnerabilities (CVE-2026-7320, CVE-2026-7321, CVE-2026-7322, CVE-2026-7323) in Firefox and Thunderbird, including memory safety bugs, an information disclosure flaw in the Audio/Video component, and a sandbox escape in the WebRTC networking component. Affected versions include Mozilla Firefox prior to 115.35.1, 140.10.1, and 150.0.1, and Mozilla Thunderbird prior to 140.10.1 and 150.0.1, with CVSS scores ranging from 7.3 to 7.5. The fix requires updating Firefox packages on Red Hat Enterprise Linux 8 systems to the patched versions provided in the advisory.
Red Hat Product Errata RHSA-2026:19588 - Security Advisory Issued: 2026-05-20 Updated: 2026-05-20 RHSA-2026:19588 - Security Advisory Overview Updated Packages Synopsis Important: firefox security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fix(es): firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1 (CVE-2026-7323) firefox: thunderbird: Information disclosure due to incorrect boundary conditions in the Audio/Video component (CVE-2026-7320) firefox: thunderbird: Memory safety bugs fixed in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1 (CVE-2026-7322) firefox: thunderbird: webrtc: Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component (CVE-2026-7321) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 8 x86_64 Red Hat Enterprise Linux for IBM z Systems 8 s390x Red Hat Enterprise Linux for Power, little endian 8 ppc64le Red Hat Enterprise Linux for ARM 64 8 aarch64 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 8.10 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 8.10 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 8.10 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 8.10 s390x Fixes BZ - 2463481 - CVE-2026-7323 firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1 BZ - 2463483 - CVE-2026-7320 firefox: thunderbird: Information disclosure due to incorrect boundary conditions in the Audio/Video component BZ - 2463484 - CVE-2026-7322 firefox: thunderbird: Memory safety bugs fixed in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1 BZ - 2463485 - CVE-2026-7321 firefox: thunderbird: webrtc: Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component CVEs CVE-2026-7320 CVE-2026-7321 CVE-2026-7322 CVE-2026-7323 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 8 SRPM firefox-140.10.1-1.el8_10.src.rpm SHA-256: 88e7c8e7a1105c5761023e6c6a58d88ecfbd1e476e830c1906cba734afa24f25 x86_64 firefox-140.10.1-1.el8_10.x86_64.rpm SHA-256: a5f615f8200bf167f5a15df1ae4e20badfdbad9f159213fd6badfc690db5e588 firefox-debuginfo-140.10.1-1.el8_10.x86_64.rpm SHA-256: 2143df49be142ba1337e8f83c3308be1196e63280c293f1c318c0508f669dd56 firefox-debugsource-140.10.1-1.el8_10.x86_64.rpm SHA-256: bcf97dccc4c3c92d02b1e317aba6aba4e145315fc0c2ae87c1b104b805c86681 Red Hat Enterprise Linux for IBM z Systems 8 SRPM firefox-140.10.1-1.el8_10.src.rpm SHA-256: 88e7c8e7a1105c5761023e6c6a58d88ecfbd1e476e830c1906cba734afa24f25 s390x firefox-140.10.1-1.el8_10.s390x.rpm SHA-256: 30991c0ee798fa67d651cdcb3e29575c91a89d32ba806dfe58acf53967faa434 firefox-debuginfo-140.10.1-1.el8_10.s390x.rpm SHA-256: 553f0633626b44cdd8dce0200a89adf793525ec54e827869e8242cdba16d89a6 firefox-debugsource-140.10.1-1.el8_10.s390x.rpm SHA-256: a3f33e966cb987736c35453b88519bcfe1b2c47f2aa564f77504599e1dc3e6b2 Red Hat Enterprise Linux for Power, little endian 8 SRPM firefox-140.10.1-1.el8_10.src.rpm SHA-256: 88e7c8e7a1105c5761023e6c6a58d88ecfbd1e476e830c1906cba734afa24f25 ppc64le firefox-140.10.1-1.el8_10.ppc64le.rpm SHA-256: d83ddde182eb36a575d6aa922547a4ccc86a30699b0e736581ccd89c0221d329 firefox-debuginfo-140.10.1-1.el8_10.ppc64le.rpm SHA-256: 459568884446f5261167e3adb26cf82bb00893dad67c2a3ccc918c9b96c5ecc0 firefox-debugsource-140.10.1-1.el8_10.ppc64le.rpm SHA-256: 023472ed8d3e055420bd3b0a4db0a4652d487ef2eda8dd45aa2121c94ca15f9f Red Hat Enterprise Linux for ARM 64 8 SRPM firefox-140.10.1-1.el8_10.src.rpm SHA-256: 88e7c8e7a1105c5761023e6c6a58d88ecfbd1e476e830c1906cba734afa24f25 aarch64 firefox-140.10.1-1.el8_10.aarch64.rpm SHA-256: f8e5ac5fe9bfeaa50d910571263b4a93017c392504c99215b76815b174a6c5c5 firefox-debuginfo-140.10.1-1.el8_10.aarch64.rpm SHA-256: fb1d54408e9387c91245bd20a4609beca2bfc5e049c2f128f22df4ca74f297f8 firefox-debugsource-140.10.1-1.el8_10.aarch64.rpm SHA-256: d8ee54399e950434a1481d86c23d8adf36f28aff572d162cf5a7431b723b415c Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 8.10 SRPM firefox-140.10.1-1.el8_10.src.rpm SHA-256: 88e7c8e7a1105c5761023e6c6a58d88ecfbd1e476e830c1906cba734afa24f25 x86_64 firefox-140.10.1-1.el8_10.x86_64.rpm SHA-256: a5f615f8200bf167f5a15df1ae4e20badfdbad9f159213fd6badfc690db5e588 firefox-debuginfo-140.10.1-1.el8_10.x86_64.rpm SHA-256: 2143df49be142ba1337e8f83c3308be1196e63280c293f1c318c0508f669dd56 firefox-debugsource-140.10.1-1.el8_10.x86_64.rpm SHA-256: bcf97dccc4c3c92d02b1e317aba6aba4e145315fc0c2ae87c1b104b805c86681 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 8.10 SRPM firefox-140.10.1-1.el8_10.src.rpm SHA-256: 88e7c8e7a1105c5761023e6c6a58d88ecfbd1e476e830c1906cba734afa24f25 aarch64 firefox-140.10.1-1.el8_10.aarch64.rpm SHA-256: f8e5ac5fe9bfeaa50d910571263b4a93017c392504c99215b76815b174a6c5c5 firefox-debuginfo-140.10.1-1.el8_10.aarch64.rpm SHA-256: fb1d54408e9387c91245bd20a4609beca2bfc5e049c2f128f22df4ca74f297f8 firefox-debugsource-140.10.1-1.el8_10.aarch64.rpm SHA-256: d8ee54399e950434a1481d86c23d8adf36f28aff572d162cf5a7431b723b415c Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 8.10 SRPM firefox-140.10.1-1.el8_10.src.rpm SHA-256: 88e7c8e7a1105c5761023e6c6a58d88ecfbd1e476e830c1906cba734afa24f25 ppc64le firefox-140.10.1-1.el8_10.ppc64le.rpm SHA-256: d83ddde182eb36a575d6aa922547a4ccc86a30699b0e736581ccd89c0221d329 firefox-debuginfo-140.10.1-1.el8_10.ppc64le.rpm SHA-256: 459568884446f5261167e3adb26cf82bb00893dad67c2a3ccc918c9b96c5ecc0 firefox-debugsource-140.10.1-1.el8_10.ppc64le.rpm SHA-256: 023472ed8d3e055420bd3b0a4db0a4652d487ef2eda8dd45aa2121c94ca15f9f Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 8.10 SRPM firefox-140.10.1-1.el8_10.src.rpm SHA-256: 88e7c8e7a1105c5761023e6c6a58d88ecfbd1e476e830c1906cba734afa24f25 s390x firefox-140.10.1-1.el8_10.s390x.rpm SHA-256: 30991c0ee798fa67d651cdcb3e29575c91a89d32ba806dfe58acf53967faa434 firefox-debuginfo-140.10.1-1.el8_10.s390x.rpm SHA-256: 553f0633626b44cdd8dce0200a89adf793525ec54e827869e8242cdba16d89a6 firefox-debugsource-140.10.1-1.el8_10.s390x.rpm SHA-256: a3f33e966cb987736c35453b88519bcfe1b2c47f2aa564f77504599e1dc3e6b2 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .