Red Hat Product Errata RHSA-2026:0016 - Security Advisory
Issued:
2026-01-05
Updated:
2026-01-05

RHSA-2026:0016 - Security Advisory

Synopsis

Important: firefox security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

  • firefox: Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146 (CVE-2025-14333)
  • firefox: Use-after-free in the WebRTC: Signaling component (CVE-2025-14321)
  • firefox: JIT miscompilation in the JavaScript Engine: JIT component (CVE-2025-14325)
  • firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component (CVE-2025-14322)
  • firefox: Privilege escalation in the Netmonitor component (CVE-2025-14328)
  • firefox: Privilege escalation in the Netmonitor component (CVE-2025-14329)
  • firefox: Same-origin policy bypass in the Request Handling component (CVE-2025-14331)
  • firefox: Privilege escalation in the DOM: Notifications component (CVE-2025-14323)
  • firefox: JIT miscompilation in the JavaScript Engine: JIT component (CVE-2025-14330)
  • firefox: JIT miscompilation in the JavaScript Engine: JIT component (CVE-2025-14324)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64
  • Red Hat Enterprise Linux Server - AUS 9.4 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x

Fixes

  • BZ - 2420502 - CVE-2025-14333 firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146
  • BZ - 2420503 - CVE-2025-14321 firefox: thunderbird: Use-after-free in the WebRTC: Signaling component
  • BZ - 2420504 - CVE-2025-14325 firefox: thunderbird: JIT miscompilation in the JavaScript Engine: JIT component
  • BZ - 2420506 - CVE-2025-14322 firefox: thunderbird: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component
  • BZ - 2420508 - CVE-2025-14328 firefox: thunderbird: Privilege escalation in the Netmonitor component
  • BZ - 2420509 - CVE-2025-14329 firefox: thunderbird: Privilege escalation in the Netmonitor component
  • BZ - 2420512 - CVE-2025-14331 firefox: thunderbird: Same-origin policy bypass in the Request Handling component
  • BZ - 2420513 - CVE-2025-14323 firefox: thunderbird: Privilege escalation in the DOM: Notifications component
  • BZ - 2420516 - CVE-2025-14330 firefox: thunderbird: JIT miscompilation in the JavaScript Engine: JIT component
  • BZ - 2420517 - CVE-2025-14324 firefox: thunderbird: JIT miscompilation in the JavaScript Engine: JIT component

Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4

SRPM
firefox-140.6.0-1.el9_4.src.rpm SHA-256: b7547a8b45a79d1bd3da4381bc398a43c4da6b9c6dfc5c461382bf57b799c5bd
x86_64
firefox-140.6.0-1.el9_4.x86_64.rpm SHA-256: 72e838eeb289a5a0bfd1011e7f39d10759c858c5f80e549dfd2dc8cb36918084
firefox-debuginfo-140.6.0-1.el9_4.x86_64.rpm SHA-256: 850d1d11479d31dc916825ba8eae17c8aa370f46b1ac84a9c56e51d25b2443ae
firefox-debugsource-140.6.0-1.el9_4.x86_64.rpm SHA-256: cefd27796ff7aca23ca2f767e773d9375f755eb48adeaf858997a883dff928cb
firefox-x11-140.6.0-1.el9_4.x86_64.rpm SHA-256: 0ca95c49017c61e639df12658886b2eb3fabea16c48e4a250b5fee2f3ca61fa4

Red Hat Enterprise Linux Server - AUS 9.4

SRPM
firefox-140.6.0-1.el9_4.src.rpm SHA-256: b7547a8b45a79d1bd3da4381bc398a43c4da6b9c6dfc5c461382bf57b799c5bd
x86_64
firefox-140.6.0-1.el9_4.x86_64.rpm SHA-256: 72e838eeb289a5a0bfd1011e7f39d10759c858c5f80e549dfd2dc8cb36918084
firefox-debuginfo-140.6.0-1.el9_4.x86_64.rpm SHA-256: 850d1d11479d31dc916825ba8eae17c8aa370f46b1ac84a9c56e51d25b2443ae
firefox-debugsource-140.6.0-1.el9_4.x86_64.rpm SHA-256: cefd27796ff7aca23ca2f767e773d9375f755eb48adeaf858997a883dff928cb
firefox-x11-140.6.0-1.el9_4.x86_64.rpm SHA-256: 0ca95c49017c61e639df12658886b2eb3fabea16c48e4a250b5fee2f3ca61fa4

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4

SRPM
firefox-140.6.0-1.el9_4.src.rpm SHA-256: b7547a8b45a79d1bd3da4381bc398a43c4da6b9c6dfc5c461382bf57b799c5bd
s390x
firefox-140.6.0-1.el9_4.s390x.rpm SHA-256: 27c6ee7e94eef5051dd8289365e712f4ba983e6f891386d07db1c64fc96e7494
firefox-debuginfo-140.6.0-1.el9_4.s390x.rpm SHA-256: 65191e4e09ea57b7cb2a348f14045642e18014f8818f3e26f620e2193fb44e5c
firefox-debugsource-140.6.0-1.el9_4.s390x.rpm SHA-256: 0faf48a5af349a4674bf2fbdb2721be03d36d99726ed5658d31c89fd6cff28e8
firefox-x11-140.6.0-1.el9_4.s390x.rpm SHA-256: 2811a7fc1f9a71d44886e6adab6d5367ae5f4ce4b42f25afd6702f9001bd20dc

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4

SRPM
firefox-140.6.0-1.el9_4.src.rpm SHA-256: b7547a8b45a79d1bd3da4381bc398a43c4da6b9c6dfc5c461382bf57b799c5bd
ppc64le
firefox-140.6.0-1.el9_4.ppc64le.rpm SHA-256: 312021ef13aa86c16f86b22503f66de36e278f02dbc4199895ffaaf256056bea
firefox-debuginfo-140.6.0-1.el9_4.ppc64le.rpm SHA-256: 63c44c1e6f50eca3039032667e15000cdafcbb3e5d3168d31821cca2cc1c49df
firefox-debugsource-140.6.0-1.el9_4.ppc64le.rpm SHA-256: d8a7a2b374b923f354d242586b3f87c6d9c7232da29a91079e6b5c35ca16e9de
firefox-x11-140.6.0-1.el9_4.ppc64le.rpm SHA-256: 286774a41597954ebb6d583e1ada174b525667ebf58a592c20a53d4b530d35c7

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4

SRPM
firefox-140.6.0-1.el9_4.src.rpm SHA-256: b7547a8b45a79d1bd3da4381bc398a43c4da6b9c6dfc5c461382bf57b799c5bd
aarch64
firefox-140.6.0-1.el9_4.aarch64.rpm SHA-256: 421c1c98b8d71f821037c932bf40a2e51ea4bfea08a4fbff6f6c120ab1b0263f
firefox-debuginfo-140.6.0-1.el9_4.aarch64.rpm SHA-256: ee14cff5b65920bef736c8d0e33fe9fb9f172a0a230df57fba45c9a9f8141914
firefox-debugsource-140.6.0-1.el9_4.aarch64.rpm SHA-256: 768d0dcc938fc77b871d4eb202924ca7085f75e30734354a881451bff3a38f0b
firefox-x11-140.6.0-1.el9_4.aarch64.rpm SHA-256: 973d0e4e2698ce165a9f25b9a23e6b5260910738261304f50db75174c29419a1

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4

SRPM
firefox-140.6.0-1.el9_4.src.rpm SHA-256: b7547a8b45a79d1bd3da4381bc398a43c4da6b9c6dfc5c461382bf57b799c5bd
ppc64le
firefox-140.6.0-1.el9_4.ppc64le.rpm SHA-256: 312021ef13aa86c16f86b22503f66de36e278f02dbc4199895ffaaf256056bea
firefox-debuginfo-140.6.0-1.el9_4.ppc64le.rpm SHA-256: 63c44c1e6f50eca3039032667e15000cdafcbb3e5d3168d31821cca2cc1c49df
firefox-debugsource-140.6.0-1.el9_4.ppc64le.rpm SHA-256: d8a7a2b374b923f354d242586b3f87c6d9c7232da29a91079e6b5c35ca16e9de
firefox-x11-140.6.0-1.el9_4.ppc64le.rpm SHA-256: 286774a41597954ebb6d583e1ada174b525667ebf58a592c20a53d4b530d35c7

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4

SRPM
firefox-140.6.0-1.el9_4.src.rpm SHA-256: b7547a8b45a79d1bd3da4381bc398a43c4da6b9c6dfc5c461382bf57b799c5bd
x86_64
firefox-140.6.0-1.el9_4.x86_64.rpm SHA-256: 72e838eeb289a5a0bfd1011e7f39d10759c858c5f80e549dfd2dc8cb36918084
firefox-debuginfo-140.6.0-1.el9_4.x86_64.rpm SHA-256: 850d1d11479d31dc916825ba8eae17c8aa370f46b1ac84a9c56e51d25b2443ae
firefox-debugsource-140.6.0-1.el9_4.x86_64.rpm SHA-256: cefd27796ff7aca23ca2f767e773d9375f755eb48adeaf858997a883dff928cb
firefox-x11-140.6.0-1.el9_4.x86_64.rpm SHA-256: 0ca95c49017c61e639df12658886b2eb3fabea16c48e4a250b5fee2f3ca61fa4

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4

SRPM
firefox-140.6.0-1.el9_4.src.rpm SHA-256: b7547a8b45a79d1bd3da4381bc398a43c4da6b9c6dfc5c461382bf57b799c5bd
aarch64
firefox-140.6.0-1.el9_4.aarch64.rpm SHA-256: 421c1c98b8d71f821037c932bf40a2e51ea4bfea08a4fbff6f6c120ab1b0263f
firefox-debuginfo-140.6.0-1.el9_4.aarch64.rpm SHA-256: ee14cff5b65920bef736c8d0e33fe9fb9f172a0a230df57fba45c9a9f8141914
firefox-debugsource-140.6.0-1.el9_4.aarch64.rpm SHA-256: 768d0dcc938fc77b871d4eb202924ca7085f75e30734354a881451bff3a38f0b
firefox-x11-140.6.0-1.el9_4.aarch64.rpm SHA-256: 973d0e4e2698ce165a9f25b9a23e6b5260910738261304f50db75174c29419a1

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4

SRPM
firefox-140.6.0-1.el9_4.src.rpm SHA-256: b7547a8b45a79d1bd3da4381bc398a43c4da6b9c6dfc5c461382bf57b799c5bd
s390x
firefox-140.6.0-1.el9_4.s390x.rpm SHA-256: 27c6ee7e94eef5051dd8289365e712f4ba983e6f891386d07db1c64fc96e7494
firefox-debuginfo-140.6.0-1.el9_4.s390x.rpm SHA-256: 65191e4e09ea57b7cb2a348f14045642e18014f8818f3e26f620e2193fb44e5c
firefox-debugsource-140.6.0-1.el9_4.s390x.rpm SHA-256: 0faf48a5af349a4674bf2fbdb2721be03d36d99726ed5658d31c89fd6cff28e8
firefox-x11-140.6.0-1.el9_4.s390x.rpm SHA-256: 2811a7fc1f9a71d44886e6adab6d5367ae5f4ce4b42f25afd6702f9001bd20dc

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.