ALSA-2026:5932

[ALSA-2026:5932] Important: firefox security update

Type:

security

Severity:

important

Release date:

2026-03-30

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.  

Security Fix(es):  

  * firefox: thunderbird: Use-after-free in the JavaScript Engine component (CVE-2026-4701)
  * firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 (CVE-2026-4721)
  * firefox: thunderbird: Privilege escalation in the Netmonitor component (CVE-2026-4717)
  * firefox: thunderbird: Sandbox escape due to use-after-free in the Disability Access APIs component (CVE-2026-4688)
  * firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4706)
  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: Web Codecs component (CVE-2026-4695)
  * firefox: thunderbird: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component (CVE-2026-4689)
  * firefox: thunderbird: JIT miscompilation in the JavaScript Engine: JIT component (CVE-2026-4698)
  * firefox: thunderbird: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component (CVE-2026-4716)
  * firefox: thunderbird: Race condition, use-after-free in the Graphics: WebRender component (CVE-2026-4684)
  * firefox: thunderbird: Undefined behavior in the WebRTC: Signaling component (CVE-2026-4705)
  * firefox: thunderbird: Uninitialized memory in the Graphics: Canvas2D component (CVE-2026-4715)
  * firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4685)
  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video component (CVE-2026-4714)
  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: GMP component (CVE-2026-4709)
  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video component (CVE-2026-4710)
  * firefox: thunderbird: Information disclosure in the Widget: Cocoa component (CVE-2026-4712)
  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: Web Codecs component (CVE-2026-4697)
  * firefox: thunderbird: Incorrect boundary conditions in the Graphics component (CVE-2026-4713)
  * firefox: thunderbird: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component (CVE-2026-4690)
  * firefox: thunderbird: Use-after-free in the Widget: Cocoa component (CVE-2026-4711)
  * firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4686)
  * firefox: thunderbird: Incorrect boundary conditions in the Graphics component (CVE-2026-4708)
  * firefox: thunderbird: Use-after-free in the CSS Parsing and Computation component (CVE-2026-4691)
  * firefox: thunderbird: Incorrect boundary conditions in the Layout: Text and Fonts component (CVE-2026-4699)
  * firefox: thunderbird: Use-after-free in the Layout: Text and Fonts component (CVE-2026-4696)
  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: Playback component (CVE-2026-4693)
  * firefox: thunderbird: Undefined behavior in the WebRTC: Signaling component (CVE-2026-4718)
  * firefox: thunderbird: JIT miscompilation in the JavaScript Engine component (CVE-2026-4702)
  * firefox: thunderbird: Incorrect boundary conditions in the Graphics: Text component (CVE-2026-4719)
  * firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics component (CVE-2026-4694)
  * firefox: thunderbird: Sandbox escape in the Responsive Design Mode component (CVE-2026-4692)
  * firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 (CVE-2026-4720)
  * firefox: thunderbird: Mitigation bypass in the Networking: HTTP component (CVE-2026-4700)
  * firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4707)
  * firefox: thunderbird: Denial-of-service in the WebRTC: Signaling component (CVE-2026-4704)
  * firefox: thunderbird: Sandbox escape due to incorrect boundary conditions in the Telemetry component (CVE-2026-4687)


For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References:

CVE-2026-4684
CVE-2026-4685
CVE-2026-4686
CVE-2026-4687
CVE-2026-4688
CVE-2026-4689
CVE-2026-4690
CVE-2026-4691
CVE-2026-4692
CVE-2026-4693
CVE-2026-4694
CVE-2026-4695
CVE-2026-4696
CVE-2026-4697
CVE-2026-4698
CVE-2026-4699
CVE-2026-4700
CVE-2026-4701
CVE-2026-4702
CVE-2026-4704
CVE-2026-4705
CVE-2026-4706
CVE-2026-4707
CVE-2026-4708
CVE-2026-4709
CVE-2026-4710
CVE-2026-4711
CVE-2026-4712
CVE-2026-4713
CVE-2026-4714
CVE-2026-4715
CVE-2026-4716
CVE-2026-4717
CVE-2026-4718
CVE-2026-4719
CVE-2026-4720
CVE-2026-4721
RHSA-2026:5932
ALSA-2026:5932

Updated packages listed below:

Architecture	Package	Checksum
aarch64	firefox-140.9.0-1.el8_10.alma.1.aarch64.rpm	b485893e744aa184a9f1a1510db6e349e4641e9d1502414427e7fcaea3ac1fdf
ppc64le	firefox-140.9.0-1.el8_10.alma.1.ppc64le.rpm	bbcab9dad682cc2fcbcd8e1c936a63eb7c4ecf87699ef54e7be9f5a108e82f28
s390x	firefox-140.9.0-1.el8_10.alma.1.s390x.rpm	b5de54e61b4c5c8c2621e7f21db2b8a42c546fd076e53cd31b151ecd7fe07c57
x86_64	firefox-140.9.0-1.el8_10.alma.1.x86_64.rpm	b3649989f7ad246fa2ed0803b9afdfb21ad3a26dae6eba0f500b1f22be1f187a

Notes:

This page is generated automatically from Red Hat security data and has not been checked for errors. For clarification or corrections please contact the AlmaLinux Packaging Team.