Vulnerability-Lookup

WID-SEC-W-2026-0427

Vulnerability from csaf_certbund - Published: 2026-02-16 23:00 - Updated: 2026-02-19 23:00

Summary

Mozilla Firefox, Firefox ESR und Thunderbird: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Firefox ist ein Open Source Web Browser. ESR ist die Variante mit verlängertem Support. Thunderbird ist ein Open Source E-Mail Client.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Mozilla Firefox, Mozilla Firefox ESR und Mozilla Thunderbird ausnutzen, um falsche Informationen darzustellen oder nicht näher spezifizierte Auswirkungen zu verursachen

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Firefox ist ein Open Source Web Browser. \r\nESR ist die Variante mit verl\u00e4ngertem Support.\r\nThunderbird ist ein Open Source E-Mail Client.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Mozilla Firefox, Mozilla Firefox ESR und Mozilla Thunderbird ausnutzen, um falsche Informationen darzustellen oder nicht n\u00e4her spezifizierte Auswirkungen zu verursachen",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0427 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0427.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0427 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0427"
      },
      {
        "category": "external",
        "summary": "Mozilla Security Advisory vom 2026-02-16",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2026-09/"
      },
      {
        "category": "external",
        "summary": "Mozilla Security Advisory vom 2026-02-16",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/"
      },
      {
        "category": "external",
        "summary": "Mozilla Security Advisory vom 2026-02-16",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2026-11/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6143 vom 2026-02-19",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00052.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8053-1 vom 2026-02-19",
        "url": "https://ubuntu.com/security/notices/USN-8053-1"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10218-1 vom 2026-02-19",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MMSYOCXCDROVZUUKNWXZTMOTNREXXVCT/"
      }
    ],
    "source_lang": "en-US",
    "title": "Mozilla Firefox, Firefox ESR und Thunderbird: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-02-19T23:00:00.000+00:00",
      "generator": {
        "date": "2026-02-20T09:20:51.811+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0427",
      "initial_release_date": "2026-02-16T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-02-16T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-02-19T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Debian, Ubuntu und openSUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "ios \u003c147.2.1",
                "product": {
                  "name": "Mozilla Firefox ios \u003c147.2.1",
                  "product_id": "T050937"
                }
              },
              {
                "category": "product_version",
                "name": "ios 147.2.1",
                "product": {
                  "name": "Mozilla Firefox ios 147.2.1",
                  "product_id": "T050937-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mozilla:firefox:ios__147.2.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c147.0.4",
                "product": {
                  "name": "Mozilla Firefox \u003c147.0.4",
                  "product_id": "T050938"
                }
              },
              {
                "category": "product_version",
                "name": "147.0.4",
                "product": {
                  "name": "Mozilla Firefox 147.0.4",
                  "product_id": "T050938-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mozilla:firefox:147.0.4"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Firefox"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c115.32.1",
                "product": {
                  "name": "Mozilla Firefox ESR \u003c115.32.1",
                  "product_id": "T050939"
                }
              },
              {
                "category": "product_version",
                "name": "115.32.1",
                "product": {
                  "name": "Mozilla Firefox ESR 115.32.1",
                  "product_id": "T050939-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mozilla:firefox_esr:115.32.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c140.7.1",
                "product": {
                  "name": "Mozilla Firefox ESR \u003c140.7.1",
                  "product_id": "T050940"
                }
              },
              {
                "category": "product_version",
                "name": "140.7.1",
                "product": {
                  "name": "Mozilla Firefox ESR 140.7.1",
                  "product_id": "T050940-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mozilla:firefox_esr:140.7.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Firefox ESR"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c140.7.2",
                "product": {
                  "name": "Mozilla Thunderbird \u003c140.7.2",
                  "product_id": "T050941"
                }
              },
              {
                "category": "product_version",
                "name": "140.7.2",
                "product": {
                  "name": "Mozilla Thunderbird 140.7.2",
                  "product_id": "T050941-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mozilla:thunderbird:140.7.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c147.0.2",
                "product": {
                  "name": "Mozilla Thunderbird \u003c147.0.2",
                  "product_id": "T050942"
                }
              },
              {
                "category": "product_version",
                "name": "147.0.2",
                "product": {
                  "name": "Mozilla Thunderbird 147.0.2",
                  "product_id": "T050942-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mozilla:thunderbird:147.0.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Thunderbird"
          }
        ],
        "category": "vendor",
        "name": "Mozilla"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-2032",
      "product_status": {
        "known_affected": [
          "T050937",
          "2951",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2026-02-16T23:00:00.000+00:00",
      "title": "CVE-2026-2032"
    },
    {
      "cve": "CVE-2026-2447",
      "product_status": {
        "known_affected": [
          "T050938",
          "2951",
          "T050942",
          "T000126",
          "T027843",
          "T050941",
          "T050940",
          "T050939"
        ]
      },
      "release_date": "2026-02-16T23:00:00.000+00:00",
      "title": "CVE-2026-2447"
    }
  ]
}

CVE-2026-2032 (GCVE-0-2026-2032)

Vulnerability from cvelistv5 – Published: 2026-02-16 14:13 – Updated: 2026-02-17 18:23

Title

Interrupted page loads in new tabs could allow website spoofing under trusted domains in Firefox iOS

Summary

Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain. This vulnerability affects Firefox for iOS < 147.2.1.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE

CWE-451 - User Interface (UI) Misrepresentation of Critical Information

Assigner

mozilla

References

URL

	Vendor	Product	Version
	Mozilla	Firefox for iOS	Affected: unspecified , < 147.2.1 (custom)

CVE-2026-2447 (GCVE-0-2026-2447)

Vulnerability from cvelistv5 – Published: 2026-02-16 14:13 – Updated: 2026-02-22 21:05

Title

Heap buffer overflow in libvpx

Summary

Heap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird < 140.7.2, and Thunderbird < 147.0.2.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-122 - Heap-based Buffer Overflow

Assigner

mozilla

References

URL

Tags

	https://bugzilla.mozilla.org/show_bug.cgi?id=2014390
	https://www.mozilla.org/security/advisories/mfsa2…
	https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

Vendor

Product

Version

Mozilla

Firefox

Affected: unspecified , < 147.0.4 (custom)

Mozilla	Firefox ESR	Affected: unspecified , < 140.7.1 (custom)
Mozilla	Firefox ESR	Affected: unspecified , < 115.32.1 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 140.7.2 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 147.0.2 (custom)

Credits

jayjayjazz

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-2447",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-17T14:52:59.556198Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-122",
                "description": "CWE-122 Heap-based Buffer Overflow",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-17T14:53:32.187Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-02-22T21:05:42.890Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "147.0.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.7.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "115.32.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "140.7.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "147.0.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "jayjayjazz"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Heap buffer overflow in libvpx. This vulnerability affects Firefox \u003c 147.0.4, Firefox ESR \u003c 140.7.1, Firefox ESR \u003c 115.32.1, Thunderbird \u003c 140.7.2, and Thunderbird \u003c 147.0.2."
            }
          ],
          "value": "Heap buffer overflow in libvpx. This vulnerability affects Firefox \u003c 147.0.4, Firefox ESR \u003c 140.7.1, Firefox ESR \u003c 115.32.1, Thunderbird \u003c 140.7.2, and Thunderbird \u003c 147.0.2."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-16T15:18:48.288Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2014390"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-10/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-11/"
        }
      ],
      "title": "Heap buffer overflow in libvpx"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2026-2447",
    "datePublished": "2026-02-16T14:13:23.559Z",
    "dateReserved": "2026-02-13T09:28:08.874Z",
    "dateUpdated": "2026-02-22T21:05:42.890Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0427

CVE-2026-2032 (GCVE-0-2026-2032)

CVE-2026-2447 (GCVE-0-2026-2447)

Tags

Sightings

Nomenclature