Login Sign Up

CVE-2026-2447

8.8 HIGH

📋 TL;DR

A heap buffer overflow vulnerability in libvpx video codec library allows attackers to execute arbitrary code or cause denial of service. This affects Firefox browsers below specific versions across multiple release channels.

💻 Affected Systems

Products:
  • Firefox
  • Firefox ESR
Versions: Firefox < 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1
Operating Systems: All platforms where affected Firefox versions run
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is in libvpx library used for VP8/VP9 video decoding. All default configurations are vulnerable.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the same privileges as the Firefox process, potentially leading to full system compromise.

🟠

Likely Case

Browser crash/denial of service, with potential for limited code execution in sandboxed environment.

🟢

If Mitigated

Browser crash with no code execution due to sandboxing and exploit mitigations.

🌐 Internet-Facing: HIGH - Firefox browsers are directly exposed to malicious web content.
🏢 Internal Only: MEDIUM - Internal users could be targeted via malicious internal sites or documents.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Heap buffer overflows typically require precise memory manipulation. No public exploit available at advisory time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2026-10/

Restart Required: Yes

Instructions:

1. Open Firefox menu > Help > About Firefox. 2. Browser will check for updates automatically. 3. Click 'Restart to update Firefox' when prompted. 4. For enterprise deployments, use Firefox policy templates or deployment tools.

🔧 Temporary Workarounds

Disable VP8/VP9 video playback

all

Prevents exploitation by disabling vulnerable codec

Set media.vp8.enabled to false in about:config
Set media.vp9.enabled to false in about:config

🧯 If You Can't Patch

  • Restrict access to untrusted websites and video content
  • Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Firefox version in menu > Help > About Firefox

Check Version:

firefox --version (Linux/macOS) or check About Firefox (Windows)

Verify Fix Applied:

Verify version is 147.0.4 or higher (or ESR equivalent)

📡 Detection & Monitoring

Log Indicators:

  • Firefox crash reports with libvpx in stack trace
  • Unexpected browser termination events

Network Indicators:

  • Multiple requests to video files with malformed headers

SIEM Query:

source="firefox.logs" AND (event="crash" OR event="termination") AND process="firefox"

📊 Metadata

CVE ID: CVE-2026-2447
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-122
Published: February 16, 2026
Last Updated: February 22, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2447, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)