CVE-2026-2447 PUBLISHED

Heap buffer overflow in libvpx

Assigner: mozilla
Reserved: 13.02.2026 Published: 16.02.2026 Updated: 16.02.2026

Heap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird < 140.7.2, and Thunderbird < 147.0.2.

Product Status

Vendor	Mozilla
Product	Firefox
Versions	affected from unspecified to 147.0.4 (excl.)

Vendor	Mozilla
Product	Firefox ESR
Versions	affected from unspecified to 140.7.1 (excl.)

Vendor	Mozilla
Product	Firefox ESR
Versions	affected from unspecified to 115.32.1 (excl.)

Vendor	Mozilla
Product	Thunderbird
Versions	affected from unspecified to 140.7.2 (excl.)

Vendor	Mozilla
Product	Thunderbird
Versions	affected from unspecified to 147.0.2 (excl.)

Credits

jayjayjazz

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2014390
https://www.mozilla.org/security/advisories/mfsa2026-10/
https://www.mozilla.org/security/advisories/mfsa2026-11/