Firefox 147 Released With Fixes for 16 Vulnerabilities that Enable Arbitrary Code Execution - CybersecurityNews

Home Cyber Security Firefox 147 Released With Fixes for 16 Vulnerabilities that Enable Arbitrary Code... Mozilla released Firefox 147 on January 13, 2026, addressing 16 security vulnerabilities detailed in the Mozilla Foundation Security Advisory. The update patches critical issues across components such as graphics, JavaScript, and networking, addressing six high-impact flaws, including multiple sandbox escapes, that could enable arbitrary code execution if exploited. These fixes also apply to Firefox ESR 140.7 and Thunderbird ESR 140.7/147, urging users to update immediately amid rising browser-targeted attacks. The release counters sophisticated threats uncovered through bug reports and fuzzing. High-severity vulnerabilities dominate, particularly sandbox escapes in graphics and messaging systems, reported largely by researcher Oskar L. Memory safety bugs in CVE-2026-0891 and CVE-2026-0892 showed evidence of corruption and are likely exploitable with effort. No active exploitation has been confirmed, but the cluster of graphics flaws highlights ongoing risks in WebGL and Canvas rendering. High-Impact Sandbox Escapes and Memory Corruption Several vulnerabilities enable sandbox escapes, breaching Firefox’s isolation mechanisms. CVE-2026-0877 allows DOM mitigation bypass, while CVE-2026-0878 through CVE-2026-0880 exploit boundary conditions and integer overflows in Graphics and CanvasWebGL. CVE-2026-0881 targets the Messaging System. A use-after-free in IPC (CVE-2026-0882) adds to the tally. These high-impact issues, fixed in version 147, could let attackers run code outside sandboxed contexts. CVE ID Description/Component Impact Reporter(s) CVE-2026-0877 Mitigation bypass in the DOM: Security component High mingijung CVE-2026-0878 Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component High Oskar L CVE-2026-0879 Sandbox escape due to incorrect boundary conditions in the Graphics component High Oskar L CVE-2026-0880 Sandbox escape due to integer overflow in the Graphics component High Oskar L CVE-2026-0881 Sandbox escape in the Messaging System component High Andrew McCreight CVE-2026-0882 Use-after-free in the IPC component High Randell Jesup CVE-2026-0883 Information disclosure in the Networking component Moderate Vladislav Plyatsok CVE-2026-0884 Use-after-free in the JavaScript Engine component Moderate Gary Kwong and Nan Wang CVE-2026-0885 Use-after-free in the JavaScript: GC component Moderate Irvan Kurniawan CVE-2026-0886 Incorrect boundary conditions in the Graphics component Moderate Oskar L CVE-2026-0887 Clickjacking issue, information disclosure in the PDF Viewer component Moderate Lyra Rebane CVE-2026-0888 Information disclosure in the XML component Low Pier Angelo Vendrame CVE-2026-0889 Denial-of-service in the DOM: Service Workers component Low Elysee Franchuk, Caleb Lerch CVE-2026-0890 Spoofing issue in the DOM: Copy & Paste and Drag & Drop component Low Edgar Chen CVE-2026-0891 Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 High Andrew McCreight, Dennis Jackson and the Mozilla Fuzzing Team Mozilla’s fuzzing team identified memory safety bugs fixed in CVE-2026-0891 (affecting ESR 140.6, Firefox 146, Thunderbird 146) and CVE-2026-0892 (Firefox/Thunderbird 146). Bugs like 1964722 and 2004443 exhibited corruption patterns ripe for exploitation. Organizations should prioritize updates via Firefox’s auto-updater or admin consoles. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News IBM Uncovers ‘Slopoly,’ Likely AI-Generated Malware Used in Hive0163 Ransomware Attack Cyber Security News Qihoo 360 Leaked Its Own Wildcard SSL Private Key Inside Public AI Installer Cyber Security News Fake FileZilla Downloads Lead to RAT Infections Through Stealthy Multi-Stage Loader Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026