Mozilla released Firefox 147 on January 13, 2026, addressing 16 security vulnerabilities detailed in the Mozilla Foundation Security Advisory.
The update patches critical issues across components such as graphics, JavaScript, and networking, addressing six high-impact flaws, including multiple sandbox escapes, that could enable arbitrary code execution if exploited.
These fixes also apply to Firefox ESR 140.7 and Thunderbird ESR 140.7/147, urging users to update immediately amid rising browser-targeted attacks.
The release counters sophisticated threats uncovered through bug reports and fuzzing. High-severity vulnerabilities dominate, particularly sandbox escapes in graphics and messaging systems, reported largely by researcher Oskar L.
Memory safety bugs in CVE-2026-0891 and CVE-2026-0892 showed evidence of corruption and are likely exploitable with effort. No active exploitation has been confirmed, but the cluster of graphics flaws highlights ongoing risks in WebGL and Canvas rendering.
High-Impact Sandbox Escapes and Memory Corruption
Several vulnerabilities enable sandbox escapes, breaching Firefox’s isolation mechanisms. CVE-2026-0877 allows DOM mitigation bypass, while CVE-2026-0878 through CVE-2026-0880 exploit boundary conditions and integer overflows in Graphics and CanvasWebGL.
CVE-2026-0881 targets the Messaging System. A use-after-free in IPC (CVE-2026-0882) adds to the tally. These high-impact issues, fixed in version 147, could let attackers run code outside sandboxed contexts.
| CVE ID | Description/Component | Impact | Reporter(s) |
|---|---|---|---|
| CVE-2026-0877 | Mitigation bypass in the DOM: Security component | High | mingijung |
| CVE-2026-0878 | Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component | High | Oskar L |
| CVE-2026-0879 | Sandbox escape due to incorrect boundary conditions in the Graphics component | High | Oskar L |
| CVE-2026-0880 | Sandbox escape due to integer overflow in the Graphics component | High | Oskar L |
| CVE-2026-0881 | Sandbox escape in the Messaging System component | High | Andrew McCreight |
| CVE-2026-0882 | Use-after-free in the IPC component | High | Randell Jesup |
| CVE-2026-0883 | Information disclosure in the Networking component | Moderate | Vladislav Plyatsok |
| CVE-2026-0884 | Use-after-free in the JavaScript Engine component | Moderate | Gary Kwong and Nan Wang |
| CVE-2026-0885 | Use-after-free in the JavaScript: GC component | Moderate | Irvan Kurniawan |
| CVE-2026-0886 | Incorrect boundary conditions in the Graphics component | Moderate | Oskar L |
| CVE-2026-0887 | Clickjacking issue, information disclosure in the PDF Viewer component | Moderate | Lyra Rebane |
| CVE-2026-0888 | Information disclosure in the XML component | Low | Pier Angelo Vendrame |
| CVE-2026-0889 | Denial-of-service in the DOM: Service Workers component | Low | Elysee Franchuk, Caleb Lerch |
| CVE-2026-0890 | Spoofing issue in the DOM: Copy & Paste and Drag & Drop component | Low | Edgar Chen |
| CVE-2026-0891 | Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 | High | Andrew McCreight, Dennis Jackson and the Mozilla Fuzzing Team |
Mozilla’s fuzzing team identified memory safety bugs fixed in CVE-2026-0891 (affecting ESR 140.6, Firefox 146, Thunderbird 146) and CVE-2026-0892 (Firefox/Thunderbird 146). Bugs like 1964722 and 2004443 exhibited corruption patterns ripe for exploitation.
Organizations should prioritize updates via Firefox’s auto-updater or admin consoles.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
