ISN 2026-27: Firefox ESR Vulnerabilities

First published 9 July 2026

CVSS:3.1: 7.5 (High)

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Multiple security vulnerabilities have been found in Firefox ESR, a web browser used in IGEL OS. This affects the following product versions:

  • IGEL OS 12

  • IGEL OS 11

Details

Incorrect boundary conditions affect Firefox’s Web Codecs component (CVE-2026-8946, high) and the JavaScript Engine JIT component (CVE-2026-8388, high). Mozilla also reports “another issue” rated high in the JavaScript Engine (CVE-2026-8391).

Apart from these, a use-after-free has been found in the DOM: Bindings (WebIDL) component (CVE-2026-8947, high), and a Sandbox escape in the Profile Backup (CVE-2026-8401, high).

Update Instructions

  • OS 12: Upgrade the Firefox ESR app to version 140.12 or newer.

  • OS 11: IGEL OS 11 reached End of Maintenance in June 2026. To ensure continued access to security updates and support, we recommend migrating to IGEL OS 12.

References

Mozilla Foundation Security Advisory 2026-58: https://www.mozilla.org/en-US/security/advisories/mfsa2026-58/