Mozilla Foundation Security Advisory 2026-01

Security Vulnerabilities fixed in Firefox 147

Announced

January 13, 2026

Impact

high

Products

Firefox

Fixed in

Firefox 147

#CVE-2026-0877: Mitigation bypass in the DOM: Security component

Reporter: mingijung
Impact: high

References

Bug 1999257

#CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component

Reporter: Oskar L
Impact: high

References

Bug 2003989

#CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component

Reporter: Oskar L
Impact: high

References

Bug 2004602

#CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component

Reporter: Oskar L
Impact: high

References

Bug 2005014

#CVE-2026-0881: Sandbox escape in the Messaging System component

Reporter: Andrew McCreight
Impact: high

References

Bug 2005845

#CVE-2026-0882: Use-after-free in the IPC component

Reporter: Randell Jesup
Impact: high

References

Bug 1924125

#CVE-2026-0883: Information disclosure in the Networking component

Reporter: Vladislav Plyatsok
Impact: moderate

References

Bug 1989340

#CVE-2026-0884: Use-after-free in the JavaScript Engine component

Reporter: Gary Kwong and Nan Wang
Impact: moderate

References

Bug 2003588

#CVE-2026-0885: Use-after-free in the JavaScript: GC component

Reporter: Irvan Kurniawan
Impact: moderate

References

Bug 2003607

#CVE-2026-0886: Incorrect boundary conditions in the Graphics component

Reporter: Oskar L
Impact: moderate

References

Bug 2005658

#CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component

Reporter: Lyra Rebane
Impact: moderate

References

Bug 2006500

#CVE-2026-0888: Information disclosure in the XML component

Reporter: Pier Angelo Vendrame
Impact: low

References

Bug 1985996

#CVE-2026-0889: Denial-of-service in the DOM: Service Workers component

Reporter: Elysee Franchuk
Impact: low

References

Bug 1999084

#CVE-2026-0890: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component

Reporter: Edgar Chen
Impact: low

References

Bug 2005081

#CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147

Reporter: Andrew McCreight, Dennis Jackson and the Mozilla Fuzzing Team
Impact: high

Description

Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147

#CVE-2026-0892: Memory safety bugs fixed in Firefox 147 and Thunderbird 147

Reporter: Hiroyuki Ikezoe, Jon Coppeard, Maurice Dauer and the Mozilla Fuzzing Team
Impact: moderate

Description

Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox 147 and Thunderbird 147

Mozilla VPN

Mozilla Monitor

Firefox Relay

MDN Plus

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Blog