ISN 2026-05: Firefox ESR Vulnerabilities
First published 2 March 2026
CVSS:3.1: 8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Multiple security vulnerabilities have been found in Firefox ESR, a web browser used in IGEL OS. This affects the following product versions:
IGEL OS 12
IGEL OS 11
Details
A heap buffer overflow has been found in libvpx, a library that Firefox uses for playing the VP8/VP9 open video codecs. This issue could lead to denial of service or potentially the execution of arbitrary code (CVE-2026-2447, high).
The JavaScript support in Firefox ESR has multiple security issues: a use-after-free in the garbage collector (CVE-2026-2758, high), an integer overflow in the standard library (CVE-2026-2762, high), a use-after-free in the V8 engine (CVE-2026-2763, high), a JIT miscompilation and use-after-free (CVE-2026-2764, high), and a use-after-free in the WebAssembly component (CVE-2026-2767, high).
In addition, sandbox escapes are possible in the DOM: Core & HTML component (CVE-2026-2778, high) and the Storage: IndexedDB component (CVE-2026-2768, high). The Messaging System is affected by a privilege escalation (CVE-2026-2777, high).
A full list of vulnerabilities is available in MFSA 2026-15.
Update Instructions
OS 12: Update the Firefox ESR app to version 140.8 or newer and the Base System to 12.8.1 or newer when available from the IGEL App Portal.
OS 11: Update to IGEL OS 11.11.150.