This Red Hat advisory addresses four high-severity vulnerabilities (CVSS scores 7.3-7.5) in Firefox and Thunderbird, including memory safety bugs, an information disclosure flaw in the Audio/Video component, and a sandbox escape in the WebRTC networking component. Affected versions include Firefox < 115.35.1, Firefox < 150.0.1, Firefox >= 128.0 < 140.10.1, Thunderbird < 140.10.1, and Thunderbird < 150.0.1. The update provides fixes in Firefox/Thunderbird versions 140.10.1 and 150.0.1 for Red Hat Enterprise Linux 7 Extended Lifecycle Support.
Red Hat Product Errata RHSA-2026:22708 - Security Advisory Issued: 2026-06-03 Updated: 2026-06-03 RHSA-2026:22708 - Security Advisory Overview Updated Packages Synopsis Important: firefox security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for firefox is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fix(es): firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1 (CVE-2026-7323) firefox: thunderbird: Information disclosure due to incorrect boundary conditions in the Audio/Video component (CVE-2026-7320) firefox: thunderbird: Memory safety bugs fixed in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1 (CVE-2026-7322) firefox: thunderbird: webrtc: Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component (CVE-2026-7321) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64 Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64 Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le Fixes BZ - 2463481 - CVE-2026-7323 firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1 BZ - 2463483 - CVE-2026-7320 firefox: thunderbird: Information disclosure due to incorrect boundary conditions in the Audio/Video component BZ - 2463484 - CVE-2026-7322 firefox: thunderbird: Memory safety bugs fixed in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1 BZ - 2463485 - CVE-2026-7321 firefox: thunderbird: webrtc: Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component CVEs CVE-2026-7320 CVE-2026-7321 CVE-2026-7322 CVE-2026-7323 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 SRPM firefox-140.10.1-1.el7_9.src.rpm SHA-256: 0d773d675ccc4320dbefda5000326d59e027580a3e11eee602785c84977bf23d x86_64 firefox-140.10.1-1.el7_9.x86_64.rpm SHA-256: 55ef58cecbcf98655e589301ff41e5b85208f92dd3ce7ba283d054a684050364 Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 SRPM firefox-140.10.1-1.el7_9.src.rpm SHA-256: 0d773d675ccc4320dbefda5000326d59e027580a3e11eee602785c84977bf23d s390x firefox-140.10.1-1.el7_9.s390x.rpm SHA-256: 6a8dbe9803b1231a3a5cf0c3ab5a7f076b36b836774447ba1c3ebd0f7dc26ae4 firefox-debuginfo-140.10.1-1.el7_9.s390x.rpm SHA-256: 12461c08e801b06b8deaa7bcc368b81433951b7e60edb00f9ff51cedf0b666b7 Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 SRPM firefox-140.10.1-1.el7_9.src.rpm SHA-256: 0d773d675ccc4320dbefda5000326d59e027580a3e11eee602785c84977bf23d ppc64 firefox-140.10.1-1.el7_9.ppc64.rpm SHA-256: 5b4b4be0836cb4c11aed487ce226ee3bfa495e22145db955fc23184208022439 firefox-debuginfo-140.10.1-1.el7_9.ppc64.rpm SHA-256: 9dfa462fa6183a40d78fe250336969238ec06a52ad8ea13bc9e9defdbcc7f532 Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 SRPM firefox-140.10.1-1.el7_9.src.rpm SHA-256: 0d773d675ccc4320dbefda5000326d59e027580a3e11eee602785c84977bf23d ppc64le firefox-140.10.1-1.el7_9.ppc64le.rpm SHA-256: 7e2d706ae5343ac19c3f562d20a271e2cee0a0d1aecae4f94cde7894b833c3af firefox-debuginfo-140.10.1-1.el7_9.ppc64le.rpm SHA-256: a5b42ea78e6ea79e3816c29588ba6a33ad219e081c7ca4c71a876d18807a0013 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .