Red Hat Product Errata RHSA-2026:21380 - Security Advisory Issued: 2026-05-27 Updated: 2026-05-27 RHSA-2026:21380 - Security Advisory Overview Updated Packages Synopsis Important: firefox security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for firefox is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fix(es): firefox: Incorrect boundary conditions in the JavaScript Engine: JIT component (CVE-2026-8388) firefox: Other issue in the JavaScript Engine component (CVE-2026-8391) firefox: Sandbox escape in the Profile Backup component (CVE-2026-8401) firefox: Integer overflow in the Networking: JAR component (CVE-2026-8956) firefox: Memory safety bugs fixed in Firefox ESR 115.36, Firefox ESR 140.11 and Firefox 151 (CVE-2026-8975) firefox: Privilege escalation in the DOM: Workers component (CVE-2026-8955) firefox: Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component (CVE-2026-8968) firefox: Incorrect boundary conditions, integer overflow in the Audio/Video component (CVE-2026-8954) firefox: Information disclosure, sandbox escape in the Security: Process Sandboxing component (CVE-2026-8958) firefox: Incorrect boundary conditions in the Audio/Video: Web Codecs component (CVE-2026-8946) firefox: Privilege escalation in the Security component (CVE-2026-8970) firefox: Same-origin policy bypass in the Networking: HTTP component (CVE-2026-8950) firefox: Memory safety bugs fixed in Firefox ESR 140.11 and Firefox 151 (CVE-2026-8974) firefox: Sandbox escape due to use-after-free in the Disability Access APIs component (CVE-2026-8953) firefox: Spoofing issue in the Form Autofill component (CVE-2026-8961) firefox: Use-after-free in the DOM: Bindings (WebIDL) component (CVE-2026-8947) firefox: Mitigation bypass in the DOM: Security component (CVE-2026-8962) firefox: Privilege escalation in the Enterprise Policies component (CVE-2026-8957) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 x86_64 Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2 s390x Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.2 ppc64le Red Hat Enterprise Linux for ARM 64 10 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.2 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.2 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.2 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.2 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.2 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 10.2 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 10.2 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 10.2 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 10.2 s390x Fixes BZ - 2476469 - CVE-2026-8388 firefox: Incorrect boundary conditions in the JavaScript Engine: JIT component BZ - 2476475 - CVE-2026-8391 firefox: Other issue in the JavaScript Engine component BZ - 2476492 - CVE-2026-8401 firefox: Sandbox escape in the Profile Backup component BZ - 2479839 - CVE-2026-8956 firefox: Integer overflow in the Networking: JAR component BZ - 2479840 - CVE-2026-8975 firefox: Memory safety bugs fixed in Firefox ESR 115.36, Firefox ESR 140.11 and Firefox 151 BZ - 2479842 - CVE-2026-8955 firefox: Privilege escalation in the DOM: Workers component BZ - 2479846 - CVE-2026-8968 firefox: Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component BZ - 2479847 - CVE-2026-8954 firefox: Incorrect boundary conditions, integer overflow in the Audio/Video component BZ - 2479848 - CVE-2026-8958 firefox: Information disclosure, sandbox escape in the Security: Process Sandboxing component BZ - 2479849 - CVE-2026-8946 firefox: Incorrect boundary conditions in the Audio/Video: Web Codecs component BZ - 2479852 - CVE-2026-8970 firefox: Privilege escalation in the Security component BZ - 2479853 - CVE-2026-8950 firefox: Same-origin policy bypass in the Networking: HTTP component BZ - 2479855 - CVE-2026-8974 firefox: Memory safety bugs fixed in Firefox ESR 140.11 and Firefox 151 BZ - 2479860 - CVE-2026-8953 firefox: Sandbox escape due to use-after-free in the Disability Access APIs component BZ - 2479871 - CVE-2026-8961 firefox: Spoofing issue in the Form Autofill component BZ - 2479873 - CVE-2026-8947 firefox: Use-after-free in the DOM: Bindings (WebIDL) component BZ - 2479876 - CVE-2026-8962 firefox: Mitigation bypass in the DOM: Security component BZ - 2479880 - CVE-2026-8957 firefox: Privilege escalation in the Enterprise Policies component CVEs CVE-2026-8388 CVE-2026-8391 CVE-2026-8401 CVE-2026-8946 CVE-2026-8947 CVE-2026-8950 CVE-2026-8953 CVE-2026-8954 CVE-2026-8955 CVE-2026-8956 CVE-2026-8957 CVE-2026-8958 CVE-2026-8961 CVE-2026-8962 CVE-2026-8968 CVE-2026-8970 CVE-2026-8974 CVE-2026-8975 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM firefox-140.11.0-1.el10_2.src.rpm SHA-256: 33af5a1c4e597975802c3623cce855695e5e2751846fd662837905579a384966 x86_64 firefox-140.11.0-1.el10_2.x86_64.rpm SHA-256: add6ae36908b6ee9ba2b5279239c5dd23e73e2b9014a8fc2e0d25e7dfff5af63 firefox-debuginfo-140.11.0-1.el10_2.x86_64.rpm SHA-256: a9f4af1ce282d923e12abdda45e9a81a00e1da7f584c532a3e355884be215dab firefox-debugsource-140.11.0-1.el10_2.x86_64.rpm SHA-256: 22f58e5a23a4e4bafbec7724dad0a094c82202fe6decb3635598b7538c122ec7 Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 SRPM firefox-140.11.0-1.el10_2.src.rpm SHA-256: 33af5a1c4e597975802c3623cce855695e5e2751846fd662837905579a384966 x86_64 firefox-140.11.0-1.el10_2.x86_64.rpm SHA-256: add6ae36908b6ee9ba2b5279239c5dd23e73e2b9014a8fc2e0d25e7dfff5af63 firefox-debuginfo-140.11.0-1.el10_2.x86_64.rpm SHA-256: a9f4af1ce282d923e12abdda45e9a81a00e1da7f584c532a3e355884be215dab firefox-debugsource-140.11.0-1.el10_2.x86_64.rpm SHA-256: 22f58e5a23a4e4bafbec7724dad0a094c82202fe6decb3635598b7538c122ec7 Red Hat Enterprise Linux for IBM z Systems 10 SRPM firefox-140.11.0-1.el10_2.src.rpm SHA-256: 33af5a1c4e597975802c3623cce855695e5e2751846fd662837905579a384966 s390x firefox-140.11.0-1.el10_2.s390x.rpm SHA-256: 3cc9b81f5fa0f784aa57f52c342c9a67880d87868f01c9aadd98faa7c2146526 firefox-debuginfo-140.11.0-1.el10_2.s390x.rpm SHA-256: 2c2a7f153219124c8e5223224c6143cd91e77b0431073ae7a86ba51aba99a493 firefox-debugsource-140.11.0-1.el10_2.s390x.rpm SHA-256: f36feb47dfdd5ec250620cd73fb4dd41d365f1b4fb00d00178604012cdf3ab5a Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2 SRPM firefox-140.11.0-1.el10_2.src.rpm SHA-256: 33af5a1c4e597975802c3623cce855695e5e2751846fd662837905579a384966 s390x firefox-140.11.0-1.el10_2.s390x.rpm SHA-256: 3cc9b81f5fa0f784aa57f52c342c9a67880d87868f01c9aadd98faa7c2146526 firefox-debuginfo-140.11.0-1.el10_2.s390x.rpm SHA-256: 2c2a7f153219124c8e5223224c6143cd91e77b0431073ae7a86ba51aba99a493 firefox-debugsource-140.11.0-1.el10_2.s390x.rpm SHA-256: f36feb47dfdd5ec250620cd73fb4dd41d365f1b4fb00d00178604012cdf3ab5a Red Hat Enterprise Linux for Power, little endian 10 SRPM firefox-140.11.0-1.el10_2.src.rpm SHA-256: 33af5a1c4e597975802c3623cce855695e5e2751846fd662837905579a384966 ppc64le firefox-140.11.0-1.el10_2.ppc64le.rpm SHA-256: 1d4bfb7ab19c88bb5d2253c9fbcb6943745e3e0ebdd0ce523d4c38b64aeb96ab firefox-debuginfo-140.11.0-1.el10_2.ppc64le.rpm SHA-256: 850887790083dac5bb5b256a9b52dcc0f6a179ec32c421bd6bd5cd33391c21a3 firefox-debugsource-140.11.0-1.el10_2.ppc64le.rpm SHA-256: 36201df37f151d18d509d37d2d2aa801705dab18abbb2542df8c36a7407b4685 Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.2 SRPM firefox-140.11.0-1.el10_2.src.rpm SHA-256: 33af5a1c4e597975802c3623cce855695e5e2751846fd662837905579a384966 ppc64le firefox-140.11.0-1.el10_2.ppc64le.rpm SHA-256: 1d4bfb7ab19c88bb5d2253c9fbcb6943745e3e0ebdd0ce523d4c38b64aeb96ab firefox-debuginfo-140.11.0-1.el10_2.ppc64le.rpm SHA-256: 850887790083dac5bb5b256a9b52dcc0f6a179ec32c421bd6bd5cd33391c21a3 firefox-debugsource-140.11.0-1.el10_2.ppc64le.rpm SHA-256: 36201df37f151d18d509d37d2d2aa801705dab18abbb2542df8c36a7407b4685 Red Hat Enterprise Linux for ARM 64 10 SRPM firefox-140.11.0-1.el10_2.src.rpm SHA-256: 33af5a1c4e597975802c3623cce855695e5e2751846fd662837905579a384966 aarch64 firefox-140.11.0-1.el10_2.aarch64.rpm SHA-256: 4ff0819717836e4865f0bb86570055900ce47f4433dfac56fa4a7256937c554a firefox-debuginfo-140.11.0-1.el10_2.aarch64.rpm SHA-256: 55e8ab2db947d60a18d58d963db05a1a1b7895bb4f7d022371f9a1cbf8648b1a firefox-debugsource-140.11.0-1.el10_2.aarch64.rpm SHA-256: 4470d5bbc4ff9b69135fd8bda37c83f1346e01acaf4afc9af8ac8b2cb0ceeb35 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.2 SRPM firefox-140.11.0-1.el10_2.src.rpm SHA-256: 33af