Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Multiple Firefox Security Fixes Released
MGASA-2026-0052
Summary
Mozilla has released updates to fix several security issues in Firefox that could allow an attacker to access sensitive data or execute malicious code on your computer. These updates are highly recommended to ensure the security of your browser. To stay protected, make sure to update your Firefox to the latest version.
What to do
- Update rootcerts to version 20260206.00-1.mga9.
- Update nss to version 3.121.0-1.mga9.
- Update firefox to version 140.8.0-1.mga9.
- Update firefox-l10n to version 140.8.0-1.mga9.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | rootcerts | <= 20260206.00-1.mga9 | 20260206.00-1.mga9 |
| – | nss | <= 3.121.0-1.mga9 | 3.121.0-1.mga9 |
| – | firefox | <= 140.8.0-1.mga9 | 140.8.0-1.mga9 |
| – | firefox-l10n | <= 140.8.0-1.mga9 | 140.8.0-1.mga9 |
Original title
Updated rootcerts, nss & firefox packages fix security vulnerabilities
Original description
Incorrect boundary conditions in the WebRTC: Audio/Video component.
(CVE-2026-2757)
Use-after-free in the JavaScript: GC component. (CVE-2026-2758)
Incorrect boundary conditions in the Graphics: ImageLib component.
(CVE-2026-2759)
Sandbox escape due to incorrect boundary conditions in the Graphics:
WebRender component. (CVE-2026-2760)
Sandbox escape in the Graphics: WebRender component. (CVE-2026-2761)
Integer overflow in the JavaScript: Standard Library component.
(CVE-2026-2762)
Use-after-free in the JavaScript Engine component. (CVE-2026-2763)
JIT miscompilation, use-after-free in the JavaScript Engine: JIT
component. (CVE-2026-2764)
Use-after-free in the JavaScript Engine component. (CVE-2026-2765)
Use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2766)
Use-after-free in the JavaScript: WebAssembly component. (CVE-2026-2767)
Sandbox escape in the Storage: IndexedDB component. (CVE-2026-2768)
Use-after-free in the Storage: IndexedDB component. (CVE-2026-2769)
Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-2770)
Undefined behavior in the DOM: Core & HTML component. (CVE-2026-2771)
Use-after-free in the Audio/Video: Playback component. (CVE-2026-2772)
Incorrect boundary conditions in the Web Audio component.
(CVE-2026-2773)
Integer overflow in the Audio/Video component. (CVE-2026-2774)
Mitigation bypass in the DOM: HTML Parser component. (CVE-2026-2775)
Sandbox escape due to incorrect boundary conditions in the Telemetry
component in External Software. (CVE-2026-2776)
Privilege escalation in the Messaging System component. (CVE-2026-2777)
Sandbox escape due to incorrect boundary conditions in the DOM: Core &
HTML component. (CVE-2026-2778)
Incorrect boundary conditions in the Networking: JAR component.
(CVE-2026-2779)
Privilege escalation in the Netmonitor component. (CVE-2026-2780)
Integer overflow in the Libraries component in NSS. (CVE-2026-2781)
Privilege escalation in the Netmonitor component. (CVE-2026-2782)
Information disclosure due to JIT miscompilation in the JavaScript
Engine: JIT component. (CVE-2026-2783)
Mitigation bypass in the DOM: Security component. (CVE-2026-2784)
Invalid pointer in the JavaScript Engine component. (CVE-2026-2785)
Use-after-free in the JavaScript Engine component. (CVE-2026-2786)
Use-after-free in the DOM: Window and Location component.
(CVE-2026-2787)
Incorrect boundary conditions in the Audio/Video: GMP component.
(CVE-2026-2788)
Use-after-free in the Graphics: ImageLib component. (CVE-2026-2789)
Same-origin policy bypass in the Networking: JAR component.
(CVE-2026-2790)
Mitigation bypass in the Networking: Cache component. (CVE-2026-2791)
Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8,
Firefox 148 and Thunderbird 148. (CVE-2026-2792)
Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8,
Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2793)
(CVE-2026-2757)
Use-after-free in the JavaScript: GC component. (CVE-2026-2758)
Incorrect boundary conditions in the Graphics: ImageLib component.
(CVE-2026-2759)
Sandbox escape due to incorrect boundary conditions in the Graphics:
WebRender component. (CVE-2026-2760)
Sandbox escape in the Graphics: WebRender component. (CVE-2026-2761)
Integer overflow in the JavaScript: Standard Library component.
(CVE-2026-2762)
Use-after-free in the JavaScript Engine component. (CVE-2026-2763)
JIT miscompilation, use-after-free in the JavaScript Engine: JIT
component. (CVE-2026-2764)
Use-after-free in the JavaScript Engine component. (CVE-2026-2765)
Use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2766)
Use-after-free in the JavaScript: WebAssembly component. (CVE-2026-2767)
Sandbox escape in the Storage: IndexedDB component. (CVE-2026-2768)
Use-after-free in the Storage: IndexedDB component. (CVE-2026-2769)
Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-2770)
Undefined behavior in the DOM: Core & HTML component. (CVE-2026-2771)
Use-after-free in the Audio/Video: Playback component. (CVE-2026-2772)
Incorrect boundary conditions in the Web Audio component.
(CVE-2026-2773)
Integer overflow in the Audio/Video component. (CVE-2026-2774)
Mitigation bypass in the DOM: HTML Parser component. (CVE-2026-2775)
Sandbox escape due to incorrect boundary conditions in the Telemetry
component in External Software. (CVE-2026-2776)
Privilege escalation in the Messaging System component. (CVE-2026-2777)
Sandbox escape due to incorrect boundary conditions in the DOM: Core &
HTML component. (CVE-2026-2778)
Incorrect boundary conditions in the Networking: JAR component.
(CVE-2026-2779)
Privilege escalation in the Netmonitor component. (CVE-2026-2780)
Integer overflow in the Libraries component in NSS. (CVE-2026-2781)
Privilege escalation in the Netmonitor component. (CVE-2026-2782)
Information disclosure due to JIT miscompilation in the JavaScript
Engine: JIT component. (CVE-2026-2783)
Mitigation bypass in the DOM: Security component. (CVE-2026-2784)
Invalid pointer in the JavaScript Engine component. (CVE-2026-2785)
Use-after-free in the JavaScript Engine component. (CVE-2026-2786)
Use-after-free in the DOM: Window and Location component.
(CVE-2026-2787)
Incorrect boundary conditions in the Audio/Video: GMP component.
(CVE-2026-2788)
Use-after-free in the Graphics: ImageLib component. (CVE-2026-2789)
Same-origin policy bypass in the Networking: JAR component.
(CVE-2026-2790)
Mitigation bypass in the Networking: Cache component. (CVE-2026-2791)
Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8,
Firefox 148 and Thunderbird 148. (CVE-2026-2792)
Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8,
Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2793)
- https://advisories.mageia.org/MGASA-2026-0052.html Vendor Advisory
- https://bugs.mageia.org/show_bug.cgi?id=35165 Third Party Advisory
- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_121.html Third Party Advisory
- https://www.firefox.com/en-US/firefox/140.8.0/releasenotes/ Third Party Advisory
- https://www.mozilla.org/en-US/security/advisories/mfsa2026-15/ Third Party Advisory
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026