SB2026032468 - Multiple vulnerabilities in Mozilla Firefox

Description

This security bulletin contains information about 45 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2026-4693)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions in the Audio/Video: Playback component when processing media content. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code.

Exploitation may result in memory corruption and arbitrary code execution in the context of the browser.

2) Out-of-bounds read (CVE-ID: CVE-2026-4709)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions in the Audio/Video: GMP component when processing media content. A remote attacker can trick the victim into visiting a specially crafted website and to execute arbitrary code.

Exploitation may result in memory corruption and arbitrary code execution in the context of the browser, though impact is somewhat limited.

3) Out-of-bounds read (CVE-ID: CVE-2026-4707)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions in the Graphics: Canvas2D component when rendering canvas content. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code.

Exploitation may result in memory corruption and arbitrary code execution in the context of the browser, though impact is somewhat limited.

4) Out-of-bounds read (CVE-ID: CVE-2026-4706)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions in the Graphics: Canvas2D component when rendering canvas content. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code.

Exploitation may result in memory corruption and arbitrary code execution in the context of the browser, though impact is somewhat limited.

5) Out-of-bounds read (CVE-ID: CVE-2026-4699)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions in the Layout: Text and Fonts component when processing text content. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code.

Exploitation may result in memory corruption and arbitrary code execution in the context of the browser.

6) Heap-based Buffer Overflow (CVE-ID: CVE-2026-4698)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to JIT miscompilation in the JavaScript Engine: JIT component when executing JavaScript code. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code.

Exploitation could lead to memory corruption and arbitrary code execution in the context of the browser.

7) Use After Free (CVE-ID: CVE-2026-4696)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to use-after-free in the Layout: Text and Fonts component when processing text content. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code.

Exploitation could result in memory corruption and arbitrary code execution in the context of the browser.

8) Integer overflow (CVE-ID: CVE-2026-4694)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions, integer overflow in the Graphics component when rendering graphical content. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code.

Exploitation could lead to memory corruption and arbitrary code execution in the context of the browser.

9) Improper Access Control (CVE-ID: CVE-2026-4692)

The vulnerability allows a remote attacker to escape the sandbox.

The vulnerability exists due to sandbox escape in the Responsive Design Mode component when handling mode switching. A remote attacker can trick the victim into visiting a specially crafted website and escape the sandbox.

Successful exploitation could allow an attacker to execute code outside the browser's sandbox with elevated privileges.

10) Use After Free (CVE-ID: CVE-2026-4688)

The vulnerability allows a remote attacker to escape the sandbox and execute arbitrary code.

The vulnerability exists due to use-after-free in the Disability Access APIs component when processing accessibility events. A remote attacker can trick the victim into visiting a specially crafted website to escape the sandbox and execute arbitrary code.

11) Use After Free (CVE-ID: CVE-2026-4691)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to use-after-free in the CSS Parsing and Computation component when processing CSS content. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code.

Exploitation could result in memory corruption and arbitrary code execution in the context of the browser.

12) Integer overflow (CVE-ID: CVE-2026-4690)

The vulnerability allows a remote attacker to escape the sandbox.

The vulnerability exists due to incorrect boundary conditions, integer overflow in the XPCOM component when processing data. A remote attacker can trick the victim into visiting a specially crafted website and escape the sandbox.

Exploitation could lead to sandbox escape and arbitrary code execution in the context of the underlying operating system.

13) Integer overflow (CVE-ID: CVE-2026-4689)

The vulnerability allows a remote attacker to escape the sandbox.

The vulnerability exists due to incorrect boundary conditions, integer overflow in the XPCOM component when processing data. A remote attacker can trick the victim into visiting a specially crafted website and escape the sandbox.

Exploitation could lead to sandbox escape and arbitrary code execution in the context of the underlying operating system.

14) Out-of-bounds write (CVE-ID: CVE-2026-4687)

The vulnerability allows a remote attacker to escape the sandbox.

The vulnerability exists due to incorrect boundary conditions in the Telemetry component when handling telemetry data. A remote attacker can trick the victim into visiting a specially crafted website and escape the sandbox.

Successful exploitation could allow an attacker to execute code outside the browser's sandbox with elevated privileges.

15) Out-of-bounds read (CVE-ID: CVE-2026-4686)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions in the Graphics: Canvas2D component when rendering canvas content. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code.

Exploitation may result in memory corruption and arbitrary code execution in the context of the browser.

16) Out-of-bounds read (CVE-ID: CVE-2026-4685)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions in the Graphics: Canvas2D component when rendering canvas content. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code.

Exploitation may result in memory corruption and arbitrary code execution in the context of the browser.

17) Use After Free (CVE-ID: CVE-2026-4684)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to a race condition, use-after-free in the Graphics: WebRender component when processing graphical content. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

Exploitation could lead to memory corruption and arbitrary code execution in the context of the browser.

18) Out-of-bounds write (CVE-ID: CVE-2026-4721)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to memory safety bugs in multiple components when processing content. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code.

Multiple memory safety bugs were fixed; some showed evidence of memory corruption, indicating potential for arbitrary code execution.

19) Out-of-bounds read (CVE-ID: CVE-2026-4695)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions in the Audio/Video: Web Codecs component when processing encoded media. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

20) Out-of-bounds write (CVE-ID: CVE-2026-4720)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to memory safety bugs in multiple components when processing content. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

21) Exposure of sensitive information to an unauthorized actor (CVE-ID: CVE-2026-4712)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to information disclosure in the Widget: Cocoa component when handling UI events. A remote attacker can trick the victim into visiting a specially crafted website to disclose sensitive information.

22) Out-of-bounds read (CVE-ID: CVE-2026-4719)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions in the Graphics: Text component when rendering text. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

23) Type conversion (CVE-ID: CVE-2026-4718)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to undefined behavior in the WebRTC: Signaling component when processing signaling messages. A remote attacker can trick the victim into visiting a specially crafted website to cause a denial of service.

24) Improper Privilege Management (CVE-ID: CVE-2026-4717)

The vulnerability allows a remote attacker to escalate privileges.

The vulnerability exists due to improper access control in the Netmonitor component when handling developer tools. A remote attacker can trick the victim into visiting a specially crafted website to escalate privileges.

25) Out-of-bounds read (CVE-ID: CVE-2026-4716)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions and uninitialized memory in the JavaScript Engine component when executing JavaScript code. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

26) Use of Uninitialized Variable (CVE-ID: CVE-2026-4715)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to uninitialized memory in the Graphics: Canvas2D component when processing graphical content. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

27) Out-of-bounds read (CVE-ID: CVE-2026-4714)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions in the Audio/Video component when processing media content. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

28) Out-of-bounds read (CVE-ID: CVE-2026-4713)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions in the Graphics component when processing graphical content. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

29) Use After Free (CVE-ID: CVE-2026-4711)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to use-after-free in the Widget: Cocoa component when handling UI events. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

30) Out-of-bounds read (CVE-ID: CVE-2026-4697)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions in the Audio/Video: Web Codecs component when processing encoded media. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

31) Out-of-bounds read (CVE-ID: CVE-2026-4710)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions in the Audio/Video component when processing media content. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

32) Out-of-bounds read (CVE-ID: CVE-2026-4708)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to incorrect boundary conditions in the Graphics component when processing graphical content. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

33) Type conversion (CVE-ID: CVE-2026-4705)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to undefined behavior in the WebRTC: Signaling component when processing signaling messages. A remote attacker can trick the victim into visiting a specially crafted website to cause a denial of service.

34) Resource exhaustion (CVE-ID: CVE-2026-4704)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to denial-of-service in the WebRTC: Signaling component when handling signaling messages. A remote attacker can trick the victim into visiting a specially crafted website to cause a denial of service.

35) Insufficient Control Flow Management (CVE-ID: CVE-2026-4702)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to JIT miscompilation in the JavaScript Engine component when executing JavaScript code. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

36) Use After Free (CVE-ID: CVE-2026-4701)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to use-after-free in the JavaScript Engine component when executing JavaScript code. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

37) Exposure of sensitive information to an unauthorized actor (CVE-ID: CVE-2026-4700)

The vulnerability allows a remote attacker to bypass security mitigations.

The vulnerability exists due to improper input validation in the Networking: HTTP component when handling HTTP requests. A remote attacker can trick the victim into visiting a specially crafted website to bypass security mitigations.

38) Cross-Site Request Forgery (CSRF) (CVE-ID: CVE-2026-4728)

The vulnerability allows a remote attacker to perform phishing attacks.

The vulnerability exists due to a spoofing issue in the Privacy: Anti-Tracking component when handling website identifiers. A remote attacker can trick the victim into visiting a specially crafted website to perform phishing attacks.

39) Use After Free (CVE-ID: CVE-2026-4723)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to a use-after-free in the JavaScript Engine component when processing JavaScript code. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

40) Improper Privilege Management (CVE-ID: CVE-2026-4722)

The vulnerability allows a remote attacker to escalate privileges.

The vulnerability exists due to improper privilege management in the IPC component when handling inter-process communication. A remote attacker can trick the victim into visiting a specially crafted website to escalate privileges.

41) Out-of-bounds write (CVE-ID: CVE-2026-4729)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to memory safety bugs in multiple components when processing content. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

42) Resource exhaustion (CVE-ID: CVE-2026-4727)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of cryptographic operations in the Libraries component in NSS. A remote attacker can trick the victim into visiting a specially crafted website to cause a denial of service.

43) Resource exhaustion (CVE-ID: CVE-2026-4726)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of XML content in the XML component when parsing documents. A remote attacker can trick the victim into visiting a specially crafted website to cause a denial of service.

44) Use After Free (CVE-ID: CVE-2026-4725)

The vulnerability allows a remote attacker to escape the sandbox.

The vulnerability exists due to a use-after-free in the Graphics: Canvas2D component when rendering content. A remote attacker can trick the victim into visiting a specially crafted website to escape the sandbox.

45) Type conversion (CVE-ID: CVE-2026-4724)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to undefined behavior in the Audio/Video component when processing media content. A remote attacker can trick the victim into visiting a specially crafted website to execute arbitrary code.

Remediation

Install update from vendor's website.

References

• https://www.mozilla.org/en-US/security/advisories/mfsa2026-21/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/
• https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/
• https://bugzilla.mozilla.org/show_bug.cgi?id=2018102
• https://bugzilla.mozilla.org/show_bug.cgi?id=2016329
• https://bugzilla.mozilla.org/show_bug.cgi?id=2015267
• https://bugzilla.mozilla.org/show_bug.cgi?id=2015091
• https://bugzilla.mozilla.org/show_bug.cgi?id=2021863
• https://bugzilla.mozilla.org/show_bug.cgi?id=2020906
• https://bugzilla.mozilla.org/show_bug.cgi?id=2020190
• https://bugzilla.mozilla.org/show_bug.cgi?id=2018430
• https://bugzilla.mozilla.org/show_bug.cgi?id=2017643
• https://bugzilla.mozilla.org/show_bug.cgi?id=2016373
• https://bugzilla.mozilla.org/show_bug.cgi?id=2017512
• https://bugzilla.mozilla.org/show_bug.cgi?id=2016375
• https://bugzilla.mozilla.org/show_bug.cgi?id=2016374
• https://bugzilla.mozilla.org/show_bug.cgi?id=2016368
• https://bugzilla.mozilla.org/show_bug.cgi?id=2016351
• https://bugzilla.mozilla.org/show_bug.cgi?id=2016349
• https://bugzilla.mozilla.org/show_bug.cgi?id=2011129
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2013762
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2015291
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2016591
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2016661
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2016664
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2017303
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2017894
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2018090
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2018196
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2018379
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2019112
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022090
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022243
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022351
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022478
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022676
• https://bugzilla.mozilla.org/show_bug.cgi?id=2020030
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2004652
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2019372
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2021922
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022567
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022733
• https://bugzilla.mozilla.org/show_bug.cgi?id=2017666
• https://bugzilla.mozilla.org/show_bug.cgi?id=2016367
• https://bugzilla.mozilla.org/show_bug.cgi?id=2014864
• https://bugzilla.mozilla.org/show_bug.cgi?id=2021695
• https://bugzilla.mozilla.org/show_bug.cgi?id=2018592
• https://bugzilla.mozilla.org/show_bug.cgi?id=2018405
• https://bugzilla.mozilla.org/show_bug.cgi?id=2018126
• https://bugzilla.mozilla.org/show_bug.cgi?id=2018113
• https://bugzilla.mozilla.org/show_bug.cgi?id=2017002
• https://bugzilla.mozilla.org/show_bug.cgi?id=2020422
• https://bugzilla.mozilla.org/show_bug.cgi?id=2016370
• https://bugzilla.mozilla.org/show_bug.cgi?id=2015268
• https://bugzilla.mozilla.org/show_bug.cgi?id=2014873
• https://bugzilla.mozilla.org/show_bug.cgi?id=2014868
• https://bugzilla.mozilla.org/show_bug.cgi?id=2013560
• https://bugzilla.mozilla.org/show_bug.cgi?id=2009303
• https://bugzilla.mozilla.org/show_bug.cgi?id=2003766
• https://bugzilla.mozilla.org/show_bug.cgi?id=2013179
• https://bugzilla.mozilla.org/show_bug.cgi?id=2013573
• https://bugzilla.mozilla.org/show_bug.cgi?id=2010097
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=1944033
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=1997282
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2009213
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2011412
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2021925
• https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022034
• https://bugzilla.mozilla.org/show_bug.cgi?id=2008112
• https://bugzilla.mozilla.org/show_bug.cgi?id=1955311
• https://bugzilla.mozilla.org/show_bug.cgi?id=2017108
• https://bugzilla.mozilla.org/show_bug.cgi?id=2014865