|
|
Log in / Subscribe / Register

AlmaLinux alert ALSA-2026:5931 (firefox)



From:
              AlmaLinux Errata Notifications via Announce <announce@lists.almalinux.org>


To:
              announce@lists.almalinux.org


Subject:
              [Announce]  [Security Advisory] ALSA-2026:5931: firefox security update (Important)


Date:
              Mon, 30 Mar 2026 15:01:43 +0000


Message-ID:
              <0100019d3f43d5a6-0f6b71ab-817d-4a45-9b43-ac14af03cfe3-000000@email.amazonses.com>


Archive-link:
              Article


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata
notifications from AlmaLinux.

AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-03-30

Summary:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and
portability.  

Security Fix(es):  

  * firefox: thunderbird: Use-after-free in the JavaScript Engine component (CVE-2026-4701)
  * firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9,
Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 (CVE-2026-4721)
  * firefox: thunderbird: Privilege escalation in the Netmonitor component (CVE-2026-4717)
  * firefox: thunderbird: Sandbox escape due to use-after-free in the Disability Access APIs
component (CVE-2026-4688)
  * firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component
(CVE-2026-4706)
  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: Web Codecs component
(CVE-2026-4695)
  * firefox: thunderbird: Sandbox escape due to incorrect boundary conditions, integer overflow in
the XPCOM component (CVE-2026-4689)
  * firefox: thunderbird: JIT miscompilation in the JavaScript Engine: JIT component
(CVE-2026-4698)
  * firefox: thunderbird: Incorrect boundary conditions, uninitialized memory in the JavaScript
Engine component (CVE-2026-4716)
  * firefox: thunderbird: Race condition, use-after-free in the Graphics: WebRender component
(CVE-2026-4684)
  * firefox: thunderbird: Undefined behavior in the WebRTC: Signaling component (CVE-2026-4705)
  * firefox: thunderbird: Uninitialized memory in the Graphics: Canvas2D component
(CVE-2026-4715)
  * firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component
(CVE-2026-4685)
  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video component
(CVE-2026-4714)
  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: GMP component
(CVE-2026-4709)
  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video component
(CVE-2026-4710)
  * firefox: thunderbird: Information disclosure in the Widget: Cocoa component (CVE-2026-4712)
  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: Web Codecs component
(CVE-2026-4697)
  * firefox: thunderbird: Incorrect boundary conditions in the Graphics component (CVE-2026-4713)
  * firefox: thunderbird: Sandbox escape due to incorrect boundary conditions, integer overflow in
the XPCOM component (CVE-2026-4690)
  * firefox: thunderbird: Use-after-free in the Widget: Cocoa component (CVE-2026-4711)
  * firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component
(CVE-2026-4686)
  * firefox: thunderbird: Incorrect boundary conditions in the Graphics component (CVE-2026-4708)
  * firefox: thunderbird: Use-after-free in the CSS Parsing and Computation component
(CVE-2026-4691)
  * firefox: thunderbird: Incorrect boundary conditions in the Layout: Text and Fonts component
(CVE-2026-4699)
  * firefox: thunderbird: Use-after-free in the Layout: Text and Fonts component (CVE-2026-4696)
  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: Playback component
(CVE-2026-4693)
  * firefox: thunderbird: Undefined behavior in the WebRTC: Signaling component (CVE-2026-4718)
  * firefox: thunderbird: JIT miscompilation in the JavaScript Engine component (CVE-2026-4702)
  * firefox: thunderbird: Incorrect boundary conditions in the Graphics: Text component
(CVE-2026-4719)
  * firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics component
(CVE-2026-4694)
  * firefox: thunderbird: Sandbox escape in the Responsive Design Mode component (CVE-2026-4692)
  * firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9,
Firefox 149 and Thunderbird 149 (CVE-2026-4720)
  * firefox: thunderbird: Mitigation bypass in the Networking: HTTP component (CVE-2026-4700)
  * firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component
(CVE-2026-4707)
  * firefox: thunderbird: Denial-of-service in the WebRTC: Signaling component (CVE-2026-4704)
  * firefox: thunderbird: Sandbox escape due to incorrect boundary conditions in the Telemetry
component (CVE-2026-4687)


For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,
and other related information, refer to the CVE page(s) listed in the References section.


Full details, updated packages, references, and other related information:
https://errata.almalinux.org/10/ALSA-2026-5931.html

This message is automatically generated, please don’t reply. For further questions, please, contact
us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on
https://lists.almalinux.org.

Kind regards,
AlmaLinux Team
_______________________________________________
Announce mailing list -- announce@lists.almalinux.org
To unsubscribe send an email to announce-leave@lists.almalinux.org
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds