Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN037 _____________________________________________________________________ DATE : 15/01/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Firefox versions prior to 147, ESR 115.32, ESR 140.7. ===================================================================== https://www.mozilla.org/en-US/security/advisories/mfsa2026-01/ https://www.mozilla.org/en-US/security/advisories/mfsa2026-02/ https://www.mozilla.org/en-US/security/advisories/mfsa2026-03/ _____________________________________________________________________ Mozilla Foundation Security Advisory 2026-01 Security Vulnerabilities fixed in Firefox 147 Announced January 13, 2026 Impact high Products Firefox Fixed in Firefox 147 #CVE-2026-0877: Mitigation bypass in the DOM: Security component Reporter mingijung Impact high References Bug 1999257 #CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component Reporter Oskar L Impact high References Bug 2003989 #CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component Reporter Oskar L Impact high References Bug 2004602 #CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component Reporter Oskar L Impact high References Bug 2005014 #CVE-2026-0881: Sandbox escape in the Messaging System component Reporter Andrew McCreight Impact high References Bug 2005845 #CVE-2026-0882: Use-after-free in the IPC component Reporter Randell Jesup Impact high References Bug 1924125 #CVE-2026-0883: Information disclosure in the Networking component Reporter Vladislav Plyatsok Impact moderate References Bug 1989340 #CVE-2026-0884: Use-after-free in the JavaScript Engine component Reporter Gary Kwong and Nan Wang Impact moderate References Bug 2003588 #CVE-2026-0885: Use-after-free in the JavaScript: GC component Reporter Irvan Kurniawan Impact moderate References Bug 2003607 #CVE-2026-0886: Incorrect boundary conditions in the Graphics component Reporter Oskar L Impact moderate References Bug 2005658 #CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component Reporter Lyra Rebane Impact moderate References Bug 2006500 #CVE-2026-0888: Information disclosure in the XML component Reporter Pier Angelo Vendrame Impact low References Bug 1985996 #CVE-2026-0889: Denial-of-service in the DOM: Service Workers component Reporter Elysee Franchuk, Caleb Lerch Impact low References Bug 1999084 #CVE-2026-0890: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component Reporter Edgar Chen Impact low References Bug 2005081 #CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 Reporter Andrew McCreight, Dennis Jackson and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 #CVE-2026-0892: Memory safety bugs fixed in Firefox 147 and Thunderbird 147 Reporter Hiroyuki Ikezoe, Jon Coppeard, Maurice Dauer and the Mozilla Fuzzing Team Impact moderate Description Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 147 and Thunderbird 147 _____________________________________________________________________ Mozilla Foundation Security Advisory 2026-02 Security Vulnerabilities fixed in Firefox ESR 115.32 Announced January 13, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 115.32 #CVE-2026-0877: Mitigation bypass in the DOM: Security component Reporter mingijung Impact high References Bug 1999257 #CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component Reporter Oskar L Impact high References Bug 2004602 #CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component Reporter Oskar L Impact high References Bug 2005014 #CVE-2026-0882: Use-after-free in the IPC component Reporter Randell Jesup Impact high References Bug 1924125 #CVE-2026-0886: Incorrect boundary conditions in the Graphics component Reporter Oskar L Impact moderate References Bug 2005658 _____________________________________________________________________ Mozilla Foundation Security Advisory 2026-03 Security Vulnerabilities fixed in Firefox ESR 140.7 Announced January 13, 2026 Impact high Products Firefox ESR Fixed in Firefox ESR 140.7 #CVE-2026-0877: Mitigation bypass in the DOM: Security component Reporter mingijung Impact high References Bug 1999257 #CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component Reporter Oskar L Impact high References Bug 2003989 #CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component Reporter Oskar L Impact high References Bug 2004602 #CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component Reporter Oskar L Impact high References Bug 2005014 #CVE-2026-0882: Use-after-free in the IPC component Reporter Randell Jesup Impact high References Bug 1924125 #CVE-2025-14327: Spoofing issue in the Downloads Panel component Reporter Caro Kann Impact moderate References Bug 1970743 #CVE-2026-0883: Information disclosure in the Networking component Reporter Vladislav Plyatsok Impact moderate References Bug 1989340 #CVE-2026-0884: Use-after-free in the JavaScript Engine component Reporter Gary Kwong and Nan Wang Impact moderate References Bug 2003588 #CVE-2026-0885: Use-after-free in the JavaScript: GC component Reporter Irvan Kurniawan Impact moderate References Bug 2003607 #CVE-2026-0886: Incorrect boundary conditions in the Graphics component Reporter Oskar L Impact moderate References Bug 2005658 #CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component Reporter Lyra Rebane Impact moderate References Bug 2006500 #CVE-2026-0890: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component Reporter Edgar Chen Impact low References Bug 2005081 #CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 Reporter Andrew McCreight, Dennis Jackson and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================