Vulnerability-Lookup

RHSA-2026:7672

Vulnerability from csaf_redhat - Published: 2026-04-13 02:23 - Updated: 2026-04-14 13:34

Summary

Red Hat Security Advisory: firefox security update

Severity

Important

Notes

Topic: An update for firefox is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fix(es): * libpng: libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416) * libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636) * thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5734) * thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5731) * firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component (CVE-2026-5732) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-5731

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-787 - Out-of-bounds Write

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2026:7672

CVE-2026-5732

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Incorrect boundary conditions, integer overflow in the Graphics: Text component

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-190 - Integer Overflow or Wraparound

CVE-2026-5734

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-787 - Out-of-bounds Write

CVE-2026-33416

A flaw was found in libpng, a library used for processing PNG (Portable Network Graphics) image files. This vulnerability arises from improper memory management where a heap-allocated buffer is aliased between internal data structures. When specific functions are called, a freed memory region can still be referenced, leading to a use-after-free condition. An attacker could potentially exploit this to achieve arbitrary code execution or cause a denial of service.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-825 - Expired Pointer Dereference

Workaround To reduce exposure, avoid processing untrusted PNG image files with applications that utilize libpng. Restricting the source of PNG images to trusted origins can limit the attack surface.

CVE-2026-33636

A flaw was found in libpng. A remote attacker could exploit an out-of-bounds read and write vulnerability in the ARM/AArch64 Neon-optimized palette expansion path. This occurs when processing a final partial chunk of 8-bit paletted rows without verifying sufficient input pixels, leading to dereferencing pointers before the start of the row buffer and writing expanded pixel data to underflowed positions. This flaw can result in information disclosure and denial of service.

7.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

CWE-124 - Buffer Underwrite ('Buffer Underflow')

Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

References

URL

Category

	https://access.redhat.com/errata/RHSA-2026:7672	self
	https://access.redhat.com/security/updates/classi…	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2451805	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2451819	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2455897	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2455901	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2455908	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2026-5731	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2455901	external
	https://www.cve.org/CVERecord?id=CVE-2026-5731	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-5731	external
	https://www.mozilla.org/security/advisories/mfsa2…	external
	https://www.mozilla.org/security/advisories/mfsa2…	external
	https://access.redhat.com/security/cve/CVE-2026-5732	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2455908	external
	https://www.cve.org/CVERecord?id=CVE-2026-5732	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-5732	external
	https://www.mozilla.org/security/advisories/mfsa2…	external
	https://www.mozilla.org/security/advisories/mfsa2…	external
	https://access.redhat.com/security/cve/CVE-2026-5734	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2455897	external
	https://www.cve.org/CVERecord?id=CVE-2026-5734	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-5734	external
	https://www.mozilla.org/security/advisories/mfsa2…	external
	https://www.mozilla.org/security/advisories/mfsa2…	external
	https://access.redhat.com/security/cve/CVE-2026-33416	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2451805	external
	https://www.cve.org/CVERecord?id=CVE-2026-33416	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-33416	external
	https://github.com/pnggroup/libpng/commit/2301926…	external
	https://github.com/pnggroup/libpng/commit/7ea9eea…	external
	https://github.com/pnggroup/libpng/commit/a3a2144…	external
	https://github.com/pnggroup/libpng/commit/c1b0318…	external
	https://github.com/pnggroup/libpng/pull/824	external
	https://github.com/pnggroup/libpng/security/advis…	external
	https://access.redhat.com/security/cve/CVE-2026-33636	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2451819	external
	https://www.cve.org/CVERecord?id=CVE-2026-33636	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-33636	external
	https://github.com/pnggroup/libpng/commit/7734cda…	external
	https://github.com/pnggroup/libpng/commit/aba9f18…	external
	https://github.com/pnggroup/libpng/security/advis…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for firefox is now available for Red Hat Enterprise Linux 10.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nSecurity Fix(es):\n\n* libpng: libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416)\n\n* libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)\n\n* thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5734)\n\n* thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5731)\n\n* firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component (CVE-2026-5732)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:7672",
        "url": "https://access.redhat.com/errata/RHSA-2026:7672"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2451805",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451805"
      },
      {
        "category": "external",
        "summary": "2451819",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451819"
      },
      {
        "category": "external",
        "summary": "2455897",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455897"
      },
      {
        "category": "external",
        "summary": "2455901",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455901"
      },
      {
        "category": "external",
        "summary": "2455908",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455908"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7672.json"
      }
    ],
    "title": "Red Hat Security Advisory: firefox security update",
    "tracking": {
      "current_release_date": "2026-04-14T13:34:29+00:00",
      "generator": {
        "date": "2026-04-14T13:34:29+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.5"
        }
      },
      "id": "RHSA-2026:7672",
      "initial_release_date": "2026-04-13T02:23:37+00:00",
      "revision_history": [
        {
          "date": "2026-04-13T02:23:37+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-04-13T02:23:37+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-04-14T13:34:29+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AppStream (v. 10)",
                "product": {
                  "name": "Red Hat Enterprise Linux AppStream (v. 10)",
                  "product_id": "AppStream-10.1.Z",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:10.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "firefox-0:140.9.1-1.el10_1.src",
                "product": {
                  "name": "firefox-0:140.9.1-1.el10_1.src",
                  "product_id": "firefox-0:140.9.1-1.el10_1.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/firefox@140.9.1-1.el10_1?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "firefox-0:140.9.1-1.el10_1.aarch64",
                "product": {
                  "name": "firefox-0:140.9.1-1.el10_1.aarch64",
                  "product_id": "firefox-0:140.9.1-1.el10_1.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/firefox@140.9.1-1.el10_1?arch=aarch64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
                "product": {
                  "name": "firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
                  "product_id": "firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/firefox-debugsource@140.9.1-1.el10_1?arch=aarch64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
                "product": {
                  "name": "firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
                  "product_id": "firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/firefox-debuginfo@140.9.1-1.el10_1?arch=aarch64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "firefox-0:140.9.1-1.el10_1.ppc64le",
                "product": {
                  "name": "firefox-0:140.9.1-1.el10_1.ppc64le",
                  "product_id": "firefox-0:140.9.1-1.el10_1.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/firefox@140.9.1-1.el10_1?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
                "product": {
                  "name": "firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
                  "product_id": "firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/firefox-debugsource@140.9.1-1.el10_1?arch=ppc64le"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
                "product": {
                  "name": "firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
                  "product_id": "firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/firefox-debuginfo@140.9.1-1.el10_1?arch=ppc64le"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "firefox-0:140.9.1-1.el10_1.s390x",
                "product": {
                  "name": "firefox-0:140.9.1-1.el10_1.s390x",
                  "product_id": "firefox-0:140.9.1-1.el10_1.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/firefox@140.9.1-1.el10_1?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "firefox-debugsource-0:140.9.1-1.el10_1.s390x",
                "product": {
                  "name": "firefox-debugsource-0:140.9.1-1.el10_1.s390x",
                  "product_id": "firefox-debugsource-0:140.9.1-1.el10_1.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/firefox-debugsource@140.9.1-1.el10_1?arch=s390x"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
                "product": {
                  "name": "firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
                  "product_id": "firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/firefox-debuginfo@140.9.1-1.el10_1?arch=s390x"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "firefox-0:140.9.1-1.el10_1.x86_64",
                "product": {
                  "name": "firefox-0:140.9.1-1.el10_1.x86_64",
                  "product_id": "firefox-0:140.9.1-1.el10_1.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/firefox@140.9.1-1.el10_1?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "firefox-debugsource-0:140.9.1-1.el10_1.x86_64",
                "product": {
                  "name": "firefox-debugsource-0:140.9.1-1.el10_1.x86_64",
                  "product_id": "firefox-debugsource-0:140.9.1-1.el10_1.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/firefox-debugsource@140.9.1-1.el10_1?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
                "product": {
                  "name": "firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
                  "product_id": "firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/firefox-debuginfo@140.9.1-1.el10_1?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-0:140.9.1-1.el10_1.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64"
        },
        "product_reference": "firefox-0:140.9.1-1.el10_1.aarch64",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-0:140.9.1-1.el10_1.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le"
        },
        "product_reference": "firefox-0:140.9.1-1.el10_1.ppc64le",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-0:140.9.1-1.el10_1.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x"
        },
        "product_reference": "firefox-0:140.9.1-1.el10_1.s390x",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-0:140.9.1-1.el10_1.src as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src"
        },
        "product_reference": "firefox-0:140.9.1-1.el10_1.src",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-0:140.9.1-1.el10_1.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64"
        },
        "product_reference": "firefox-0:140.9.1-1.el10_1.x86_64",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-debuginfo-0:140.9.1-1.el10_1.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64"
        },
        "product_reference": "firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le"
        },
        "product_reference": "firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-debuginfo-0:140.9.1-1.el10_1.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x"
        },
        "product_reference": "firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-debuginfo-0:140.9.1-1.el10_1.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64"
        },
        "product_reference": "firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-debugsource-0:140.9.1-1.el10_1.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64"
        },
        "product_reference": "firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-debugsource-0:140.9.1-1.el10_1.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le"
        },
        "product_reference": "firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-debugsource-0:140.9.1-1.el10_1.s390x as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x"
        },
        "product_reference": "firefox-debugsource-0:140.9.1-1.el10_1.s390x",
        "relates_to_product_reference": "AppStream-10.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "firefox-debugsource-0:140.9.1-1.el10_1.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 10)",
          "product_id": "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
        },
        "product_reference": "firefox-debugsource-0:140.9.1-1.el10_1.x86_64",
        "relates_to_product_reference": "AppStream-10.1.Z"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-5731",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "discovery_date": "2026-04-07T13:01:15.389776+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455901"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Firefox and Thunderbird. The Mozilla Foundation\u0027s Security Advisory describes the following issue:\nMemory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-5731"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455901",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455901"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-5731",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-5731"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-5731",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5731"
        },
        {
          "category": "external",
          "summary": "https://www.mozilla.org/security/advisories/mfsa2026-27/#CVE-2026-5731",
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-27/#CVE-2026-5731"
        },
        {
          "category": "external",
          "summary": "https://www.mozilla.org/security/advisories/mfsa2026-29/#CVE-2026-5731",
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-29/#CVE-2026-5731"
        }
      ],
      "release_date": "2026-04-07T12:43:11.895000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-13T02:23:37+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:7672"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2"
    },
    {
      "cve": "CVE-2026-5732",
      "cwe": {
        "id": "CWE-190",
        "name": "Integer Overflow or Wraparound"
      },
      "discovery_date": "2026-04-07T13:01:39.095775+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455908"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Firefox and Thunderbird. The Mozilla Foundation\u0027s Security Advisory describes the following issue:\nIncorrect boundary conditions, integer overflow in the Graphics: Text component",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-5732"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455908",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455908"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-5732",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-5732"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-5732",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5732"
        },
        {
          "category": "external",
          "summary": "https://www.mozilla.org/security/advisories/mfsa2026-27/#CVE-2026-5732",
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-27/#CVE-2026-5732"
        },
        {
          "category": "external",
          "summary": "https://www.mozilla.org/security/advisories/mfsa2026-29/#CVE-2026-5732",
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-29/#CVE-2026-5732"
        }
      ],
      "release_date": "2026-04-07T12:43:12.829000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-13T02:23:37+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:7672"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component"
    },
    {
      "cve": "CVE-2026-5734",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "discovery_date": "2026-04-07T13:01:01.022958+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2455897"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Firefox and Thunderbird. The Mozilla Foundation\u0027s Security Advisory describes the following issue:\nMemory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-5734"
        },
        {
          "category": "external",
          "summary": "RHBZ#2455897",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455897"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-5734",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-5734"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-5734",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5734"
        },
        {
          "category": "external",
          "summary": "https://www.mozilla.org/security/advisories/mfsa2026-27/#CVE-2026-5734",
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-27/#CVE-2026-5734"
        },
        {
          "category": "external",
          "summary": "https://www.mozilla.org/security/advisories/mfsa2026-29/#CVE-2026-5734",
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-29/#CVE-2026-5734"
        }
      ],
      "release_date": "2026-04-07T12:43:14.833000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-13T02:23:37+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:7672"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2"
    },
    {
      "cve": "CVE-2026-33416",
      "cwe": {
        "id": "CWE-825",
        "name": "Expired Pointer Dereference"
      },
      "discovery_date": "2026-03-26T18:01:55.592413+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2451805"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in libpng, a library used for processing PNG (Portable Network Graphics) image files. This vulnerability arises from improper memory management where a heap-allocated buffer is aliased between internal data structures. When specific functions are called, a freed memory region can still be referenced, leading to a use-after-free condition. An attacker could potentially exploit this to achieve arbitrary code execution or cause a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "libpng: libpng: Arbitrary code execution due to use-after-free vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33416"
        },
        {
          "category": "external",
          "summary": "RHBZ#2451805",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451805"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33416",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33416"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33416",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33416"
        },
        {
          "category": "external",
          "summary": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb",
          "url": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb"
        },
        {
          "category": "external",
          "summary": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667",
          "url": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667"
        },
        {
          "category": "external",
          "summary": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25",
          "url": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25"
        },
        {
          "category": "external",
          "summary": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1",
          "url": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1"
        },
        {
          "category": "external",
          "summary": "https://github.com/pnggroup/libpng/pull/824",
          "url": "https://github.com/pnggroup/libpng/pull/824"
        },
        {
          "category": "external",
          "summary": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j",
          "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j"
        }
      ],
      "release_date": "2026-03-26T16:48:54.174000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-13T02:23:37+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:7672"
        },
        {
          "category": "workaround",
          "details": "To reduce exposure, avoid processing untrusted PNG image files with applications that utilize libpng. Restricting the source of PNG images to trusted origins can limit the attack surface.",
          "product_ids": [
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "libpng: libpng: Arbitrary code execution due to use-after-free vulnerability"
    },
    {
      "cve": "CVE-2026-33636",
      "cwe": {
        "id": "CWE-124",
        "name": "Buffer Underwrite (\u0027Buffer Underflow\u0027)"
      },
      "discovery_date": "2026-03-26T18:02:51.339603+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2451819"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in libpng. A remote attacker could exploit an out-of-bounds read and write vulnerability in the ARM/AArch64 Neon-optimized palette expansion path. This occurs when processing a final partial chunk of 8-bit paletted rows without verifying sufficient input pixels, leading to dereferencing pointers before the start of the row buffer and writing expanded pixel data to underflowed positions. This flaw can result in information disclosure and denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
          "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
          "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
          "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33636"
        },
        {
          "category": "external",
          "summary": "RHBZ#2451819",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451819"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33636",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33636"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33636",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33636"
        },
        {
          "category": "external",
          "summary": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869",
          "url": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869"
        },
        {
          "category": "external",
          "summary": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3",
          "url": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3"
        },
        {
          "category": "external",
          "summary": "https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2",
          "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2"
        }
      ],
      "release_date": "2026-03-26T16:51:58.289000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-13T02:23:37+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:7672"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.src",
            "AppStream-10.1.Z:firefox-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debuginfo-0:140.9.1-1.el10_1.x86_64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.aarch64",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.ppc64le",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.s390x",
            "AppStream-10.1.Z:firefox-debugsource-0:140.9.1-1.el10_1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion"
    }
  ]
}

CVE-2026-5731 (GCVE-0-2026-5731)

Vulnerability from cvelistv5 – Published: 2026-04-07 12:43 – Updated: 2026-04-13 13:51

Title

Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2

Summary

Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Assigner

mozilla

References

URL

Tags

	https://bugzilla.mozilla.org/buglist.cgi?bug_id=2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Unaffected: 115.34.1 , ≤ 115.* (rpm)
Unaffected: 140.9.1 , ≤ 140.* (rpm)
Unaffected: 149.0.2 , ≤ * (rpm)

Mozilla

Thunderbird

Unaffected: 140.9.1 , ≤ 140.* (rpm)
Unaffected: 149.0.2 , ≤ * (rpm)

Credits

Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing Team

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-5731",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-119",
                "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T03:55:32.832Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "115.*",
              "status": "unaffected",
              "version": "115.34.1",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9.1",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149.0.2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9.1",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149.0.2",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1."
            }
          ],
          "value": "Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T13:51:32.565Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "name": "Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2",
          "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=2021894%2C2022225%2C2022252%2C2022294%2C2023007%2C2023130%2C2023191%2C2023364%2C2023829%2C2024074%2C2024417%2C2024433%2C2024436%2C2024437%2C2024453%2C2024461%2C2024462%2C2024472%2C2024474%2C2024477%2C2025364%2C2025401%2C2025402%2C2025472%2C2026287%2C2026299%2C2026305%2C2026426"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-25/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-26/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-27/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-28/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-29/"
        }
      ],
      "title": "Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2026-5731",
    "datePublished": "2026-04-07T12:43:11.895Z",
    "dateReserved": "2026-04-07T12:43:11.413Z",
    "dateUpdated": "2026-04-13T13:51:32.565Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33636 (GCVE-0-2026-33636)

Vulnerability from cvelistv5 – Published: 2026-03-26 16:51 – Updated: 2026-03-26 18:45

Title

LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64

Summary

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.

Severity ?

7.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

CWE

CWE-125 - Out-of-bounds Read
CWE-787 - Out-of-bounds Write

Assigner

GitHub_M

References

URL

Tags

	https://github.com/pnggroup/libpng/security/advis…	x_refsource_CONFIRM
	https://github.com/pnggroup/libpng/commit/7734cda…	x_refsource_MISC
	https://github.com/pnggroup/libpng/commit/aba9f18…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	pnggroup	libpng	Affected: >= 1.6.36, < 1.6.56

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33636",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T18:45:14.491475Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-26T18:45:26.631Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "libpng",
          "vendor": "pnggroup",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.6.36, \u003c 1.6.56"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng\u0027s ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T16:51:58.289Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-wjr5-c57x-95m2"
        },
        {
          "name": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pnggroup/libpng/commit/7734cda20cf1236aef60f3bbd2267c97bbb40869"
        },
        {
          "name": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3"
        }
      ],
      "source": {
        "advisory": "GHSA-wjr5-c57x-95m2",
        "discovery": "UNKNOWN"
      },
      "title": "LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33636",
    "datePublished": "2026-03-26T16:51:58.289Z",
    "dateReserved": "2026-03-23T14:24:11.619Z",
    "dateUpdated": "2026-03-26T18:45:26.631Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-5734 (GCVE-0-2026-5734)

Vulnerability from cvelistv5 – Published: 2026-04-07 12:43 – Updated: 2026-04-13 13:51

Title

Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2

Summary

Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Assigner

mozilla

References

URL

Tags

	https://bugzilla.mozilla.org/buglist.cgi?bug_id=2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Unaffected: 140.9.1 , ≤ 140.* (rpm)
Unaffected: 149.0.2 , ≤ * (rpm)

Mozilla

Thunderbird

Unaffected: 140.9.1 , ≤ 140.* (rpm)
Unaffected: 149.0.2 , ≤ * (rpm)

Credits

Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing Team

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-5734",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T03:55:30.963374Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-120",
                "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T13:20:27.463Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9.1",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149.0.2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9.1",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149.0.2",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1."
            }
          ],
          "value": "Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T13:51:34.677Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "name": "Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2",
          "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022369%2C2023026%2C2023545%2C2023555%2C2023958%2C2025422%2C2025468%2C2025492%2C2025505"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-25/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-27/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-28/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-29/"
        }
      ],
      "title": "Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2026-5734",
    "datePublished": "2026-04-07T12:43:14.833Z",
    "dateReserved": "2026-04-07T12:43:14.328Z",
    "dateUpdated": "2026-04-13T13:51:34.677Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-5732 (GCVE-0-2026-5732)

Vulnerability from cvelistv5 – Published: 2026-04-07 12:43 – Updated: 2026-04-13 13:51

Title

Incorrect boundary conditions, integer overflow in the Graphics: Text component

Summary

Incorrect boundary conditions, integer overflow in the Graphics: Text component. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

mozilla

References

URL

Tags

	https://bugzilla.mozilla.org/show_bug.cgi?id=2017867
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Unaffected: 140.9.1 , ≤ 140.* (rpm)
Unaffected: 149.0.2 , ≤ * (rpm)

Mozilla

Thunderbird

Unaffected: 140.9.1 , ≤ 140.* (rpm)
Unaffected: 149.0.2 , ≤ * (rpm)

Credits

Sajeeb Lohani

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-5732",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-07T14:28:39.207668Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "CWE-190 Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-07T14:29:05.339Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9.1",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149.0.2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9.1",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149.0.2",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sajeeb Lohani"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Incorrect boundary conditions, integer overflow in the Graphics: Text component. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1."
            }
          ],
          "value": "Incorrect boundary conditions, integer overflow in the Graphics: Text component. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T13:51:28.140Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2017867"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-25/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-27/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-28/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-29/"
        }
      ],
      "title": "Incorrect boundary conditions, integer overflow in the Graphics: Text component"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2026-5732",
    "datePublished": "2026-04-07T12:43:12.829Z",
    "dateReserved": "2026-04-07T12:43:12.349Z",
    "dateUpdated": "2026-04-13T13:51:28.140Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33416 (GCVE-0-2026-33416)

Vulnerability from cvelistv5 – Published: 2026-03-26 16:48 – Updated: 2026-04-01 03:55

Title

LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`

Summary

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

GitHub_M

References

URL

Tags

	https://github.com/pnggroup/libpng/security/advis…	x_refsource_CONFIRM
	https://github.com/pnggroup/libpng/pull/824	x_refsource_MISC
	https://github.com/pnggroup/libpng/commit/2301926…	x_refsource_MISC
	https://github.com/pnggroup/libpng/commit/7ea9eea…	x_refsource_MISC
	https://github.com/pnggroup/libpng/commit/a3a2144…	x_refsource_MISC
	https://github.com/pnggroup/libpng/commit/c1b0318…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	pnggroup	libpng	Affected: >= 1.2.1, < 1.6.56

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33416",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T03:55:17.603Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "libpng",
          "vendor": "pnggroup",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.2.1, \u003c 1.6.56"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr-\u003etrans_alpha = info_ptr-\u003etrans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr-\u003epalette = png_ptr-\u003epalette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416: Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T16:48:54.174Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j"
        },
        {
          "name": "https://github.com/pnggroup/libpng/pull/824",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pnggroup/libpng/pull/824"
        },
        {
          "name": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb"
        },
        {
          "name": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667"
        },
        {
          "name": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25"
        },
        {
          "name": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1"
        }
      ],
      "source": {
        "advisory": "GHSA-m4pc-p4q3-4c7j",
        "discovery": "UNKNOWN"
      },
      "title": "LIBPNG has use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33416",
    "datePublished": "2026-03-26T16:48:54.174Z",
    "dateReserved": "2026-03-19T17:02:34.172Z",
    "dateUpdated": "2026-04-01T03:55:17.603Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:7672

CVE-2026-5731 (GCVE-0-2026-5731)

CVE-2026-33636 (GCVE-0-2026-33636)

CVE-2026-5734 (GCVE-0-2026-5734)

CVE-2026-5732 (GCVE-0-2026-5732)

CVE-2026-33416 (GCVE-0-2026-33416)

Tags

Sightings

Nomenclature