Vulnerability Description
Heap buffer overflow in libvpx. This vulnerability was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2.
CVSS Score
8.8
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 115.32.1 |
| Mozilla | Thunderbird | < 140.7.2 |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=2014390Issue TrackingPermissions Required
- https://www.mozilla.org/security/advisories/mfsa2026-10/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2026-11/Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2026/02/msg00028.html
FAQ
What is CVE-2026-2447?
CVE-2026-2447 is a vulnerability with a CVSS score of 8.8 (HIGH). Heap buffer overflow in libvpx. This vulnerability was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2.
How severe is CVE-2026-2447?
CVE-2026-2447 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-2447?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Thunderbird.