Red Hat Product Errata RHSA-2026:13582 - Security Advisory
Issued:
2026-05-05
Updated:
2026-05-05

RHSA-2026:13582 - Security Advisory

Synopsis

Important: firefox security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 9.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

  • libpng: libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416)
  • libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)
  • thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5734)
  • thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5731)
  • firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component (CVE-2026-5732)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64
  • Red Hat Enterprise Linux Server - AUS 9.4 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64
  • Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64
  • Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x
  • Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.4 x86_64
  • Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.4 aarch64
  • Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.4 ppc64le
  • Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.4 s390x

Fixes

  • BZ - 2451805 - CVE-2026-33416 libpng: libpng: Arbitrary code execution due to use-after-free vulnerability
  • BZ - 2451819 - CVE-2026-33636 libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion
  • BZ - 2455897 - CVE-2026-5734 thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2
  • BZ - 2455901 - CVE-2026-5731 thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2
  • BZ - 2455908 - CVE-2026-5732 firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component

Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4

SRPM
firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4
x86_64
firefox-140.9.1-1.el9_4.x86_64.rpm SHA-256: f206d54c8b911ea0797c92a8f5118f5edd78d1e0931dccc358a97bfed22e012c
firefox-debuginfo-140.9.1-1.el9_4.x86_64.rpm SHA-256: 01a4d2bfe689c79d84213663b5d5c3c3c3163ad602d921fb6632811ca3bf1058
firefox-debugsource-140.9.1-1.el9_4.x86_64.rpm SHA-256: ada3c4d5be534681a14bb8a7af44007e0b03b7be0a0fd215d4d23103df149ea4
firefox-x11-140.9.1-1.el9_4.x86_64.rpm SHA-256: f268fb695ff3317f37f0cfad6e5aa4538366f48b81c161348f7e51afbf6623c4

Red Hat Enterprise Linux Server - AUS 9.4

SRPM
firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4
x86_64
firefox-140.9.1-1.el9_4.x86_64.rpm SHA-256: f206d54c8b911ea0797c92a8f5118f5edd78d1e0931dccc358a97bfed22e012c
firefox-debuginfo-140.9.1-1.el9_4.x86_64.rpm SHA-256: 01a4d2bfe689c79d84213663b5d5c3c3c3163ad602d921fb6632811ca3bf1058
firefox-debugsource-140.9.1-1.el9_4.x86_64.rpm SHA-256: ada3c4d5be534681a14bb8a7af44007e0b03b7be0a0fd215d4d23103df149ea4
firefox-x11-140.9.1-1.el9_4.x86_64.rpm SHA-256: f268fb695ff3317f37f0cfad6e5aa4538366f48b81c161348f7e51afbf6623c4

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4

SRPM
firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4
s390x
firefox-140.9.1-1.el9_4.s390x.rpm SHA-256: ebc0bf7b448d9c8784bfabe099ddcdcb7e575a76701663894f590daea548a7e2
firefox-debuginfo-140.9.1-1.el9_4.s390x.rpm SHA-256: 4f434beceb8347fc8db60bfed71fee15dca3477df99b543a7ff34b2642ef68ec
firefox-debugsource-140.9.1-1.el9_4.s390x.rpm SHA-256: 73936a58e7c6327508ea4becf4fb6c2586462bd46858a7f6f8a307679da8c43a
firefox-x11-140.9.1-1.el9_4.s390x.rpm SHA-256: 08c419e136f50aa594a2480d6633f73d927ced7df627e323522c573b3a6e4133

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4

SRPM
firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4
ppc64le
firefox-140.9.1-1.el9_4.ppc64le.rpm SHA-256: ec15382c296b6073a6dbd876f7b8a0c764119813909281bbf6773b9a1770e0e2
firefox-debuginfo-140.9.1-1.el9_4.ppc64le.rpm SHA-256: cc9c2faf81ad9027472d5144a461126690cac010707a52900e6c3cc06b5b3c1d
firefox-debugsource-140.9.1-1.el9_4.ppc64le.rpm SHA-256: d3c550f0798519f8cc122ea12a4854e9b6d6591bdeef7f7770931202a09f5489
firefox-x11-140.9.1-1.el9_4.ppc64le.rpm SHA-256: a327a52e8d978ba04913c79f4dfcd9c59571a15249bd51f62183d0d13436f7cd

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4

SRPM
firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4
aarch64
firefox-140.9.1-1.el9_4.aarch64.rpm SHA-256: 51a6b6c90a36831e0ff8d722b00ec15f346a0dd03f8ea94e0314ceb01c542504
firefox-debuginfo-140.9.1-1.el9_4.aarch64.rpm SHA-256: 0062c761fc096ac0775784ae630374e51b4ae0ee42fc1149a2c2306baf81d787
firefox-debugsource-140.9.1-1.el9_4.aarch64.rpm SHA-256: d48260a1f9ded4e75707fde43a03a940969e4149efbf73eb2f88381fd31b2962
firefox-x11-140.9.1-1.el9_4.aarch64.rpm SHA-256: ebc60c0929c2925177ec62c6d5cbdaef28eb4e31f71deee9f4cc121b22053c92

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4

SRPM
firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4
ppc64le
firefox-140.9.1-1.el9_4.ppc64le.rpm SHA-256: ec15382c296b6073a6dbd876f7b8a0c764119813909281bbf6773b9a1770e0e2
firefox-debuginfo-140.9.1-1.el9_4.ppc64le.rpm SHA-256: cc9c2faf81ad9027472d5144a461126690cac010707a52900e6c3cc06b5b3c1d
firefox-debugsource-140.9.1-1.el9_4.ppc64le.rpm SHA-256: d3c550f0798519f8cc122ea12a4854e9b6d6591bdeef7f7770931202a09f5489
firefox-x11-140.9.1-1.el9_4.ppc64le.rpm SHA-256: a327a52e8d978ba04913c79f4dfcd9c59571a15249bd51f62183d0d13436f7cd

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4

SRPM
firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4
x86_64
firefox-140.9.1-1.el9_4.x86_64.rpm SHA-256: f206d54c8b911ea0797c92a8f5118f5edd78d1e0931dccc358a97bfed22e012c
firefox-debuginfo-140.9.1-1.el9_4.x86_64.rpm SHA-256: 01a4d2bfe689c79d84213663b5d5c3c3c3163ad602d921fb6632811ca3bf1058
firefox-debugsource-140.9.1-1.el9_4.x86_64.rpm SHA-256: ada3c4d5be534681a14bb8a7af44007e0b03b7be0a0fd215d4d23103df149ea4
firefox-x11-140.9.1-1.el9_4.x86_64.rpm SHA-256: f268fb695ff3317f37f0cfad6e5aa4538366f48b81c161348f7e51afbf6623c4

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4

SRPM
firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4
aarch64
firefox-140.9.1-1.el9_4.aarch64.rpm SHA-256: 51a6b6c90a36831e0ff8d722b00ec15f346a0dd03f8ea94e0314ceb01c542504
firefox-debuginfo-140.9.1-1.el9_4.aarch64.rpm SHA-256: 0062c761fc096ac0775784ae630374e51b4ae0ee42fc1149a2c2306baf81d787
firefox-debugsource-140.9.1-1.el9_4.aarch64.rpm SHA-256: d48260a1f9ded4e75707fde43a03a940969e4149efbf73eb2f88381fd31b2962
firefox-x11-140.9.1-1.el9_4.aarch64.rpm SHA-256: ebc60c0929c2925177ec62c6d5cbdaef28eb4e31f71deee9f4cc121b22053c92

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4

SRPM
firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4
s390x
firefox-140.9.1-1.el9_4.s390x.rpm SHA-256: ebc0bf7b448d9c8784bfabe099ddcdcb7e575a76701663894f590daea548a7e2
firefox-debuginfo-140.9.1-1.el9_4.s390x.rpm SHA-256: 4f434beceb8347fc8db60bfed71fee15dca3477df99b543a7ff34b2642ef68ec
firefox-debugsource-140.9.1-1.el9_4.s390x.rpm SHA-256: 73936a58e7c6327508ea4becf4fb6c2586462bd46858a7f6f8a307679da8c43a
firefox-x11-140.9.1-1.el9_4.s390x.rpm SHA-256: 08c419e136f50aa594a2480d6633f73d927ced7df627e323522c573b3a6e4133

Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.4

SRPM
firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4
x86_64
firefox-140.9.1-1.el9_4.x86_64.rpm SHA-256: f206d54c8b911ea0797c92a8f5118f5edd78d1e0931dccc358a97bfed22e012c
firefox-debuginfo-140.9.1-1.el9_4.x86_64.rpm SHA-256: 01a4d2bfe689c79d84213663b5d5c3c3c3163ad602d921fb6632811ca3bf1058
firefox-debugsource-140.9.1-1.el9_4.x86_64.rpm SHA-256: ada3c4d5be534681a14bb8a7af44007e0b03b7be0a0fd215d4d23103df149ea4
firefox-x11-140.9.1-1.el9_4.x86_64.rpm SHA-256: f268fb695ff3317f37f0cfad6e5aa4538366f48b81c161348f7e51afbf6623c4

Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.4

SRPM
firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4
aarch64
firefox-140.9.1-1.el9_4.aarch64.rpm SHA-256: 51a6b6c90a36831e0ff8d722b00ec15f346a0dd03f8ea94e0314ceb01c542504
firefox-debuginfo-140.9.1-1.el9_4.aarch64.rpm SHA-256: 0062c761fc096ac0775784ae630374e51b4ae0ee42fc1149a2c2306baf81d787
firefox-debugsource-140.9.1-1.el9_4.aarch64.rpm SHA-256: d48260a1f9ded4e75707fde43a03a940969e4149efbf73eb2f88381fd31b2962
firefox-x11-140.9.1-1.el9_4.aarch64.rpm SHA-256: ebc60c0929c2925177ec62c6d5cbdaef28eb4e31f71deee9f4cc121b22053c92

Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.4

SRPM
firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4
ppc64le
firefox-140.9.1-1.el9_4.ppc64le.rpm SHA-256: ec15382c296b6073a6dbd876f7b8a0c764119813909281bbf6773b9a1770e0e2
firefox-debuginfo-140.9.1-1.el9_4.ppc64le.rpm SHA-256: cc9c2faf81ad9027472d5144a461126690cac010707a52900e6c3cc06b5b3c1d
firefox-debugsource-140.9.1-1.el9_4.ppc64le.rpm SHA-256: d3c550f0798519f8cc122ea12a4854e9b6d6591bdeef7f7770931202a09f5489
firefox-x11-140.9.1-1.el9_4.ppc64le.rpm SHA-256: a327a52e8d978ba04913c79f4dfcd9c59571a15249bd51f62183d0d13436f7cd

Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.4

SRPM
firefox-140.9.1-1.el9_4.src.rpm SHA-256: 96657cc3b6de66969e95db4292b8c4dd547ce93b1b957672ad82d6f773154aa4
s390x
firefox-140.9.1-1.el9_4.s390x.rpm SHA-256: ebc0bf7b448d9c8784bfabe099ddcdcb7e575a76701663894f590daea548a7e2
firefox-debuginfo-140.9.1-1.el9_4.s390x.rpm SHA-256: 4f434beceb8347fc8db60bfed71fee15dca3477df99b543a7ff34b2642ef68ec
firefox-debugsource-140.9.1-1.el9_4.s390x.rpm SHA-256: 73936a58e7c6327508ea4becf4fb6c2586462bd46858a7f6f8a307679da8c43a
firefox-x11-140.9.1-1.el9_4.s390x.rpm SHA-256: 08c419e136f50aa594a2480d6633f73d927ced7df627e323522c573b3a6e4133

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.