CVE-2026-2447 - Vulnerability Details

- Heap buffer overflow in libvpx

Description

Heap buffer overflow in libvpx. This vulnerability was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2.

Published: 2026-02-16

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerable heap operation in the libvpx media decoding library allows an attacker to write beyond the intended buffer boundaries. This overflow can corrupt adjacent memory structures, leading to arbitrary code execution or a complete crash. The weakness is a classic Out‑of‑Bounds Write (CWE‑122), which can compromise confidentiality, integrity, and availability if exploited.

Affected Systems

The affected products are Mozilla Firefox and Mozilla Thunderbird. Versions prior to Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2 are vulnerable. All releases newer than these contain the patch.

Risk and Exploitability

The CVSS score of 8.8 classifies this vulnerability as high severity. The EPSS probability is less than 1%, indicating a low likelihood of exploitation at this time, and it is not listed in the CISA KEV catalog. The attack vector is inferred to involve a maliciously crafted VPX media file delivered through a web page or email, as libvpx is used to decode such content in browsers and mail clients.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`115.32.1`	unaffected	≤ 115.*
`140.7.1`	unaffected	≤ 140.*
`147.0.4`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`140.7.2`	unaffected	≤ 140.*
`147.0.2`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:thunderbird::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

No data.

Vendor Product Confidence Versions

Mozilla

Firefox

—

Version	Status	Scheme	Platform
`[0,147.0.4)`	affected	semver	—

Mozilla

Firefox Esr

—

Version	Status	Scheme	Platform
`[0,140.7.1)`	affected	semver	—

Mozilla

Firefox Esr

—

Version	Status	Scheme	Platform
`[0,115.32.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest versions of Mozilla Firefox and Thunderbird that include the libvpx buffer overflow fix (Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, or Thunderbird 147.0.2).
After applying the update, restart the affected applications to ensure the updated libvpx library is loaded.
Until the update can be applied, block or disable the processing of VPX‑encoded media content in browsers and mail clients, such as by blocking .vp8/.vp9 files or restricting WebP downloads from untrusted sources.

Generated by OpenCVE AI on April 15, 2026 at 17:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4489-1	libvpx security update
Debian DSA	DSA-6143-1	libvpx security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=2014390
https://lists.debian.org/debian-lts-announce/2026/02/msg00028.html
https://nvd.nist.gov/vuln/detail/CVE-2026-2447
https://www.cve.org/CVERecord?id=CVE-2026-2447
https://www.mozilla.org/security/advisories/mfsa2026-10/
https://www.mozilla.org/security/advisories/mfsa2026-11/

History

Mon, 13 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description	Heap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird < 140.7.2, and Thunderbird < 147.0.2.	Heap buffer overflow in libvpx. This vulnerability was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2.

Sun, 22 Feb 2026 21:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2026/02/msg00028.html

Wed, 18 Feb 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla thunderbird
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:firefox:::::esr:::* cpe:2.3:a:mozilla:thunderbird::::::::
Vendors & Products		Mozilla thunderbird

Wed, 18 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-2447 https://www.cve.org/CVERecord?id=CVE-2026-2447
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 17 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-122
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 17 Feb 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla firefox Esr
Vendors & Products		Mozilla Mozilla firefox Mozilla firefox Esr

Mon, 16 Feb 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description	Heap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, and Firefox ESR < 115.32.1.	Heap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird < 140.7.2, and Thunderbird < 147.0.2.
References		https://www.mozilla.org/security/advisories/mfsa2026-11/

Mon, 16 Feb 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		Heap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, and Firefox ESR < 115.32.1.
Title		Heap buffer overflow in libvpx
References		https://bugzilla.mozilla.org/show_bug.cgi?id=2014390 https://www.mozilla.org/security/advisories/mfsa2026-10/

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2026-02-16T14:13:23.559Z

Updated: 2026-04-13T13:53:57.597Z

Reserved: 2026-02-13T09:28:08.874Z

Link: CVE-2026-2447

Vulnrichment

Updated: 2026-02-22T21:05:42.890Z

NVD

Status : Modified

Published: 2026-02-16T15:18:34.740

Modified: 2026-04-13T15:17:19.983

Link: CVE-2026-2447

Redhat

Severity : Important

Publid Date: 2026-02-16T14:13:23Z

Links: CVE-2026-2447 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses

CWE-122

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object