Mozilla FireFox Extended Support Release (ESR)
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Mozilla FireFox Extended Support Release (ESR).
Recent Mozilla FireFox Extended Support Release (ESR) Security Advisories
| Advisory | Title | Published |
|---|---|---|
| mfsa2026-15 | Security Vulnerabilities fixed in Firefox ESR 140.8 mfsa2026-15 | February 24, 2026 |
| mfsa2026-14 | Security Vulnerabilities fixed in Firefox ESR 115.33 mfsa2026-14 | February 24, 2026 |
| mfsa2026-02 | Security Vulnerabilities fixed in Firefox ESR 115.32 mfsa2026-02 | January 13, 2026 |
| mfsa2026-03 | Security Vulnerabilities fixed in Firefox ESR 140.7 mfsa2026-03 | January 13, 2026 |
| mfsa2025-93 | Security Vulnerabilities fixed in Firefox ESR 115.31 mfsa2025-93 | December 9, 2025 |
| mfsa2025-94 | Security Vulnerabilities fixed in Firefox ESR 140.6 mfsa2025-94 | December 9, 2025 |
| mfsa2025-88 | Security Vulnerabilities fixed in Firefox ESR 140.5 mfsa2025-88 | November 11, 2025 |
| mfsa2025-89 | Security Vulnerabilities fixed in Firefox ESR 115.30 mfsa2025-89 | November 11, 2025 |
| mfsa2025-82 | Security Vulnerabilities fixed in Firefox ESR 115.29 mfsa2025-82 | October 14, 2025 |
| mfsa2025-83 | Security Vulnerabilities fixed in Firefox ESR 140.4 mfsa2025-83 | October 14, 2025 |
By the Year
In 2026 there have been 50 vulnerabilities in Mozilla FireFox Extended Support Release (ESR) with an average score of 7.5 out of ten. Last year, in 2025 FireFox Extended Support Release (ESR) had 104 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in FireFox Extended Support Release (ESR) in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.18
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 50 | 7.46 |
| 2025 | 104 | 7.65 |
| 2024 | 61 | 7.34 |
| 2023 | 109 | 7.56 |
| 2022 | 103 | 7.65 |
| 2021 | 59 | 7.48 |
| 2020 | 82 | 7.63 |
| 2019 | 63 | 7.94 |
| 2018 | 166 | 8.68 |
It may take a day or so for new FireFox Extended Support Release (ESR) vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mozilla FireFox Extended Support Release (ESR) Security Vulnerabilities
Memory Safety Bug in Firefox ESR <115.33/140.8; <148 for FF/Thunderbird
CVE-2026-2793
- February 24, 2026
Memory safety bugs present in Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Memory Safety Bugs in Firefox 147 & ESR 140.7, Thunderbird 147 & ESR 140.7
CVE-2026-2792
- February 24, 2026
Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Firefox <148 / ESR<140.8: Networking Cache Mitigation Bypass
CVE-2026-2791
- February 24, 2026
Mitigation bypass in the Networking: Cache component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Firefox Same-origin policy bypass in JAR component before 148/ESR 140.8
CVE-2026-2790
- February 24, 2026
Same-origin policy bypass in the Networking: JAR component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Use-after-free in Graphics ImageLib of Firefox <148 (ESR <115.33/140.8)
CVE-2026-2789
- February 24, 2026
Use-after-free in the Graphics: ImageLib component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Firefox <148 Boundary Condition Flaw in Audio/Video GMP
CVE-2026-2788
- February 24, 2026
Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
UAF in Firefox DOM Window/Location before v148
CVE-2026-2787
- February 24, 2026
Use-after-free in the DOM: Window and Location component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Use-after-free in Firefox JS Engine (before 148)
CVE-2026-2786
- February 24, 2026
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Firefox <148/ESR<140.8: Invalid Pointer in JS Engine
CVE-2026-2785
- February 24, 2026
Invalid pointer in the JavaScript Engine component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Firefox <148 & ESR<140.8: DOM Mitigation Bypass in Security Component
CVE-2026-2784
- February 24, 2026
Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Firefox <=148 Info Disclosure via JIT Miscomp
CVE-2026-2783
- February 24, 2026
Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Firefox Netmonitor Privilege Escalation (v<148/ESR<140.8)
CVE-2026-2782
- February 24, 2026
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Firefox <148 ESR <140.8 Integer Overflow in NSS Libraries
CVE-2026-2781
- February 24, 2026
Integer overflow in the Libraries component in NSS. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Firefox Netmonitor PrivEsc pre-148 ESR<140.8
CVE-2026-2780
- February 24, 2026
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Firefox JAR Boundary Flaw (pre-148, ESR <140.8)
CVE-2026-2779
- February 24, 2026
Incorrect boundary conditions in the Networking: JAR component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Firefox sandbox escape via DOM boundary conditions <148
CVE-2026-2778
- February 24, 2026
Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Privilege Escalation in Firefox MessagingSystem <148 (ESR <115.33,140.8)
CVE-2026-2777
- February 24, 2026
Privilege escalation in the Messaging System component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Sandbox escape CVE-2026-2776 in Firefox <148 via Telemetry boundary
CVE-2026-2776
- February 24, 2026
Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Firefox HTMLParser Mitigation Bypass before v148 (ESR <115.33/140.8)
CVE-2026-2775
- February 24, 2026
Mitigation bypass in the DOM: HTML Parser component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Firefox Audio/Video Component Integer Overflow (FF<148, ESR<115.33)
CVE-2026-2774
- February 24, 2026
Integer overflow in the Audio/Video component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Firefox WebAudio Wrong boundary flaw before v148
CVE-2026-2773
- February 24, 2026
Incorrect boundary conditions in the Web Audio component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
UAF in Firefox <148 AV Playback component
CVE-2026-2772
- February 24, 2026
Use-after-free in the Audio/Video: Playback component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Firefox <148 / ESR <115.33, <140.8 Undefined Behavior in DOM (CVE2026-2771)
CVE-2026-2771
- February 24, 2026
Undefined behavior in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Use-after-free in Firefox DOM Bindings (WebIDL) < v148
CVE-2026-2770
- February 24, 2026
Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Use-after-free in Firefox IndexedDB before v148
CVE-2026-2769
- February 24, 2026
Use-after-free in the Storage: IndexedDB component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Firefox <=148 IndexedDB sandbox escape
CVE-2026-2768
- February 24, 2026
Sandbox escape in the Storage: IndexedDB component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Use-After-Free in Firefox <148 & ESR <140.8 WebAssembly (Wasm)
CVE-2026-2767
- February 24, 2026
Use-after-free in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Useafterfree in Firefox JavaScript Engine JIT <148/ESR 140.8
CVE-2026-2766
- February 24, 2026
Use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Use-after-free in Firefox JS Engine (before 148, ESR<140.8)
CVE-2026-2765
- February 24, 2026
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Firefox <148 JIT Miscompilation UAF in JS Engine
CVE-2026-2764
- February 24, 2026
JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
UAF in Firefox JavaScript Engine < v148 & ESR 115.33
CVE-2026-2763
- February 24, 2026
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Integer Overflow in Firefox JS Std Lib <148 (ESR<140.8)
CVE-2026-2762
- February 24, 2026
Integer overflow in the JavaScript: Standard Library component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Firefox Sandbox Escape via WebRender (148, ESR 115.33)
CVE-2026-2761
- February 24, 2026
Sandbox escape in the Graphics: WebRender component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Firefox Sandbox Escape in WebRender before 148 / ESR 115.33 / 140.8
CVE-2026-2760
- February 24, 2026
Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Firefox <148 ImgLib Boundary Condition Vulnerability
CVE-2026-2759
- February 24, 2026
Incorrect boundary conditions in the Graphics: ImageLib component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Firefox <148 UAF in JS GC
CVE-2026-2758
- February 24, 2026
Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Firefox <148 Boundary Condition Bug in WebRTC AV
CVE-2026-2757
- February 24, 2026
Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Firefox < 147.0.4 Heap Buffer Overflow via libvpx
CVE-2026-2447
8.8 - High
- February 16, 2026
Heap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird < 140.7.2, and Thunderbird < 147.0.2.
Heap-based Buffer Overflow
Memory Safety Bugs in Firefox 146 & Thunderbird 146
CVE-2026-0891
8.1 - High
- January 13, 2026
Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Buffer Overflow
Firefox/Thunderbird Spoofing via Copy&Paste Drag&Drop (pre-147/140.7)
CVE-2026-0890
5.4 - Medium
- January 13, 2026
Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Authentication Bypass by Spoofing
Firefox/Thunderbird <=146, ESR <140.7: Clickjacking & info disclosure via PDF Viewer
CVE-2026-0887
4.3 - Medium
- January 13, 2026
Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
Use-After-Free in SpiderMonkey (FF<147, ESR<140.7, TB<147, ESR TB<140.7)
CVE-2026-0884
9.8 - Critical
- January 13, 2026
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Dangling pointer
Use-After-Free in Firefox (<147): Garbage Collector (JS) component
CVE-2026-0885
6.5 - Medium
- January 13, 2026
Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Dangling pointer
Mozilla Firefox & Thunderbird <147 Boundary Cond Flaw (Graphics)
CVE-2026-0886
5.3 - Medium
- January 13, 2026
Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Buffer Overflow
Mozilla Firefox/Thunderbird Networking Info Disclosure < 147, ESR < 140.7
CVE-2026-0883
5.3 - Medium
- January 13, 2026
Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Information Disclosure
Use-After-Free in IPC of Firefox <147 (fixed 147)
CVE-2026-0882
8.8 - High
- January 13, 2026
Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Dangling pointer
Firefox & Thunderbird <147 Integer Overflow Sandbox Escape
CVE-2026-0880
8.8 - High
- January 13, 2026
Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Integer Overflow or Wraparound
Firefox/Thunderbird Graphics Sandbox Escape before v147/ESR140.7
CVE-2026-0879
9.8 - Critical
- January 13, 2026
Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Buffer Overflow
CanvasWebGL Sandbox Escape in Firefox <147, ESR <140.7
CVE-2026-0878
8 - High
- January 13, 2026
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Buffer Overflow
DOM Mitigation Bypass in Firefox<147/ESR<115.32 & Thunderbird<147/ESR<140.7
CVE-2026-0877
8.1 - High
- January 13, 2026
Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Protection Mechanism Failure
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Mozilla FireFox Extended Support Release (ESR) or by Mozilla? Click the Watch button to subscribe.
