This advisory addresses three vulnerabilities in Mozilla Firefox, including a critical (CVSS 9.8) unspecified issue in WebRTC (CVE-2026-8094), a high-severity use-after-free in DOM: Networking (CVE-2026-8090, CVSS 7.3), and high-severity memory safety bugs (CVE-2026-8092, CVSS 8.1). Affected versions are Firefox ESR before 115.35.2, Firefox versions 128.0 through 140.10.1, and Firefox versions 150.0 through 150.0.1. The fix requires updating to Firefox ESR 115.35.2, Firefox 140.10.2, or Firefox 150.0.2, as applicable to the deployed release stream.
Red Hat Product Errata RHSA-2026:24516 - Security Advisory Issued: 2026-06-08 Updated: 2026-06-08 RHSA-2026:24516 - Security Advisory Overview Updated Packages Synopsis Important: firefox security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fix(es): firefox: Other issue in the WebRTC component (CVE-2026-8094) firefox: Memory safety bugs fixed in Firefox ESR 115.35.2, Firefox ESR 140.10.2 and Firefox 150.0.2 (CVE-2026-8092) firefox: Use-after-free in the DOM: Networking component (CVE-2026-8090) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 x86_64 Red Hat Enterprise Linux Server - AUS 8.4 x86_64 Fixes BZ - 2467706 - CVE-2026-8094 firefox: thunderbird: Other issue in the WebRTC component BZ - 2467708 - CVE-2026-8092 firefox: Memory safety bugs fixed in Firefox ESR 115.35.2, Firefox ESR 140.10.2 and Firefox 150.0.2 BZ - 2467709 - CVE-2026-8090 firefox: thunderbird: Use-after-free in the DOM: Networking component CVEs CVE-2026-8090 CVE-2026-8092 CVE-2026-8094 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 SRPM firefox-140.10.2-1.el8_4.src.rpm SHA-256: 4fb87f76baeff83ac18eab8c3ccd4a1f69efc3d1fbb298255f79566e09d3c1b3 x86_64 firefox-140.10.2-1.el8_4.x86_64.rpm SHA-256: ddec1b74891ca8e3792bc36aacaca43cc0932ee9107aba496be0f22e0da6fa70 firefox-debuginfo-140.10.2-1.el8_4.x86_64.rpm SHA-256: 7e6e0dab4dddc5f5e2a4622ae8891c4984dade7b5689cc7500c2aac2f3b0c5d3 firefox-debugsource-140.10.2-1.el8_4.x86_64.rpm SHA-256: e1a5d749c3e6b88d51dd7628bc2a33431ba96ddfb6cfe21c2289912fc3a6c963 Red Hat Enterprise Linux Server - AUS 8.4 SRPM firefox-140.10.2-1.el8_4.src.rpm SHA-256: 4fb87f76baeff83ac18eab8c3ccd4a1f69efc3d1fbb298255f79566e09d3c1b3 x86_64 firefox-140.10.2-1.el8_4.x86_64.rpm SHA-256: ddec1b74891ca8e3792bc36aacaca43cc0932ee9107aba496be0f22e0da6fa70 firefox-debuginfo-140.10.2-1.el8_4.x86_64.rpm SHA-256: 7e6e0dab4dddc5f5e2a4622ae8891c4984dade7b5689cc7500c2aac2f3b0c5d3 firefox-debugsource-140.10.2-1.el8_4.x86_64.rpm SHA-256: e1a5d749c3e6b88d51dd7628bc2a33431ba96ddfb6cfe21c2289912fc3a6c963 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .