Issued:: 2026-04-13
Updated:: 2026-04-13

RHSA-2026:7672 - Security Advisory

Overview
Updated Packages

Synopsis

Important: firefox security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for firefox is now available for Red Hat Enterprise Linux 10.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

libpng: libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416)
libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)
thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5734)
thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5731)
firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component (CVE-2026-5732)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux for x86_64 10 x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 x86_64
Red Hat Enterprise Linux for IBM z Systems 10 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2 s390x
Red Hat Enterprise Linux for Power, little endian 10 ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.2 ppc64le
Red Hat Enterprise Linux for ARM 64 10 aarch64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.2 aarch64
Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.2 aarch64
Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.2 s390x
Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.2 ppc64le
Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.2 x86_64
Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 10.2 x86_64
Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 10.2 aarch64
Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 10.2 ppc64le
Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 10.2 s390x

Fixes

BZ - 2451805 - CVE-2026-33416 libpng: libpng: Arbitrary code execution due to use-after-free vulnerability
BZ - 2451819 - CVE-2026-33636 libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion
BZ - 2455897 - CVE-2026-5734 thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2
BZ - 2455901 - CVE-2026-5731 thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2
BZ - 2455908 - CVE-2026-5732 firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for x86_64 10

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
x86_64
firefox-140.9.1-1.el10_1.x86_64.rpm	SHA-256: d96d4b87c49018a3c28fa430b90c3ab51b22281f538b696450e10df1eb2e2fd3
firefox-debuginfo-140.9.1-1.el10_1.x86_64.rpm	SHA-256: 352ecc31c6bacc265cf0ad6743f5d12f4c556807023e328453a4b7a9a1aa4f64
firefox-debugsource-140.9.1-1.el10_1.x86_64.rpm	SHA-256: 74c4dcd86224aabe7fcc8eaf7baf73fed23d6ebaa262f2b100530ea6bff221e2

Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
x86_64
firefox-140.9.1-1.el10_1.x86_64.rpm	SHA-256: d96d4b87c49018a3c28fa430b90c3ab51b22281f538b696450e10df1eb2e2fd3
firefox-debuginfo-140.9.1-1.el10_1.x86_64.rpm	SHA-256: 352ecc31c6bacc265cf0ad6743f5d12f4c556807023e328453a4b7a9a1aa4f64
firefox-debugsource-140.9.1-1.el10_1.x86_64.rpm	SHA-256: 74c4dcd86224aabe7fcc8eaf7baf73fed23d6ebaa262f2b100530ea6bff221e2

Red Hat Enterprise Linux for IBM z Systems 10

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
s390x
firefox-140.9.1-1.el10_1.s390x.rpm	SHA-256: d8e2219ed7a39849071f134d122ce5dc8e3b0df852a6548751e271a2ac8ec14f
firefox-debuginfo-140.9.1-1.el10_1.s390x.rpm	SHA-256: ac6496a63f8ef31ad2e735d8477085c42f7754cc49fd3423fc2a3ea6838c02cb
firefox-debugsource-140.9.1-1.el10_1.s390x.rpm	SHA-256: 55056cda4335462723d2eac9ac35fb9b1937c10e19e24592ff07865d635be979

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
s390x
firefox-140.9.1-1.el10_1.s390x.rpm	SHA-256: d8e2219ed7a39849071f134d122ce5dc8e3b0df852a6548751e271a2ac8ec14f
firefox-debuginfo-140.9.1-1.el10_1.s390x.rpm	SHA-256: ac6496a63f8ef31ad2e735d8477085c42f7754cc49fd3423fc2a3ea6838c02cb
firefox-debugsource-140.9.1-1.el10_1.s390x.rpm	SHA-256: 55056cda4335462723d2eac9ac35fb9b1937c10e19e24592ff07865d635be979

Red Hat Enterprise Linux for Power, little endian 10

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
ppc64le
firefox-140.9.1-1.el10_1.ppc64le.rpm	SHA-256: 9cf630a99db1a18515660b2d6c6a70bbce3f08126e7da98e4f67092048bd3c8a
firefox-debuginfo-140.9.1-1.el10_1.ppc64le.rpm	SHA-256: 8685218f75b5f1622c42225eb87187ac41fa9a4a5b7bd99f85893b962edebac4
firefox-debugsource-140.9.1-1.el10_1.ppc64le.rpm	SHA-256: 94baec79cd6b546422dcf46a46fcea0870ff960b33a2d873b64eeacab8d975f4

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.2

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
ppc64le
firefox-140.9.1-1.el10_1.ppc64le.rpm	SHA-256: 9cf630a99db1a18515660b2d6c6a70bbce3f08126e7da98e4f67092048bd3c8a
firefox-debuginfo-140.9.1-1.el10_1.ppc64le.rpm	SHA-256: 8685218f75b5f1622c42225eb87187ac41fa9a4a5b7bd99f85893b962edebac4
firefox-debugsource-140.9.1-1.el10_1.ppc64le.rpm	SHA-256: 94baec79cd6b546422dcf46a46fcea0870ff960b33a2d873b64eeacab8d975f4

Red Hat Enterprise Linux for ARM 64 10

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
aarch64
firefox-140.9.1-1.el10_1.aarch64.rpm	SHA-256: a8b622c30617bbfc5f62af7e4dc9d134ec50e835a957c6f28d8931a9231bacb5
firefox-debuginfo-140.9.1-1.el10_1.aarch64.rpm	SHA-256: 1b82dae26c400accea206998108be67e210622643d1f2384f9c8d9bc9f38ad3b
firefox-debugsource-140.9.1-1.el10_1.aarch64.rpm	SHA-256: d98f0650ee6377ed777e259538dfdb88a3eeb8045ee8c64b3eedb27f4fa84de8

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.2

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
aarch64
firefox-140.9.1-1.el10_1.aarch64.rpm	SHA-256: a8b622c30617bbfc5f62af7e4dc9d134ec50e835a957c6f28d8931a9231bacb5
firefox-debuginfo-140.9.1-1.el10_1.aarch64.rpm	SHA-256: 1b82dae26c400accea206998108be67e210622643d1f2384f9c8d9bc9f38ad3b
firefox-debugsource-140.9.1-1.el10_1.aarch64.rpm	SHA-256: d98f0650ee6377ed777e259538dfdb88a3eeb8045ee8c64b3eedb27f4fa84de8

Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.2

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
aarch64
firefox-140.9.1-1.el10_1.aarch64.rpm	SHA-256: a8b622c30617bbfc5f62af7e4dc9d134ec50e835a957c6f28d8931a9231bacb5
firefox-debuginfo-140.9.1-1.el10_1.aarch64.rpm	SHA-256: 1b82dae26c400accea206998108be67e210622643d1f2384f9c8d9bc9f38ad3b
firefox-debugsource-140.9.1-1.el10_1.aarch64.rpm	SHA-256: d98f0650ee6377ed777e259538dfdb88a3eeb8045ee8c64b3eedb27f4fa84de8

Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.2

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
s390x
firefox-140.9.1-1.el10_1.s390x.rpm	SHA-256: d8e2219ed7a39849071f134d122ce5dc8e3b0df852a6548751e271a2ac8ec14f
firefox-debuginfo-140.9.1-1.el10_1.s390x.rpm	SHA-256: ac6496a63f8ef31ad2e735d8477085c42f7754cc49fd3423fc2a3ea6838c02cb
firefox-debugsource-140.9.1-1.el10_1.s390x.rpm	SHA-256: 55056cda4335462723d2eac9ac35fb9b1937c10e19e24592ff07865d635be979

Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.2

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
ppc64le
firefox-140.9.1-1.el10_1.ppc64le.rpm	SHA-256: 9cf630a99db1a18515660b2d6c6a70bbce3f08126e7da98e4f67092048bd3c8a
firefox-debuginfo-140.9.1-1.el10_1.ppc64le.rpm	SHA-256: 8685218f75b5f1622c42225eb87187ac41fa9a4a5b7bd99f85893b962edebac4
firefox-debugsource-140.9.1-1.el10_1.ppc64le.rpm	SHA-256: 94baec79cd6b546422dcf46a46fcea0870ff960b33a2d873b64eeacab8d975f4

Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.2

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
x86_64
firefox-140.9.1-1.el10_1.x86_64.rpm	SHA-256: d96d4b87c49018a3c28fa430b90c3ab51b22281f538b696450e10df1eb2e2fd3
firefox-debuginfo-140.9.1-1.el10_1.x86_64.rpm	SHA-256: 352ecc31c6bacc265cf0ad6743f5d12f4c556807023e328453a4b7a9a1aa4f64
firefox-debugsource-140.9.1-1.el10_1.x86_64.rpm	SHA-256: 74c4dcd86224aabe7fcc8eaf7baf73fed23d6ebaa262f2b100530ea6bff221e2

Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 10.2

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
x86_64
firefox-140.9.1-1.el10_1.x86_64.rpm	SHA-256: d96d4b87c49018a3c28fa430b90c3ab51b22281f538b696450e10df1eb2e2fd3
firefox-debuginfo-140.9.1-1.el10_1.x86_64.rpm	SHA-256: 352ecc31c6bacc265cf0ad6743f5d12f4c556807023e328453a4b7a9a1aa4f64
firefox-debugsource-140.9.1-1.el10_1.x86_64.rpm	SHA-256: 74c4dcd86224aabe7fcc8eaf7baf73fed23d6ebaa262f2b100530ea6bff221e2

Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 10.2

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
aarch64
firefox-140.9.1-1.el10_1.aarch64.rpm	SHA-256: a8b622c30617bbfc5f62af7e4dc9d134ec50e835a957c6f28d8931a9231bacb5
firefox-debuginfo-140.9.1-1.el10_1.aarch64.rpm	SHA-256: 1b82dae26c400accea206998108be67e210622643d1f2384f9c8d9bc9f38ad3b
firefox-debugsource-140.9.1-1.el10_1.aarch64.rpm	SHA-256: d98f0650ee6377ed777e259538dfdb88a3eeb8045ee8c64b3eedb27f4fa84de8

Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 10.2

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
ppc64le
firefox-140.9.1-1.el10_1.ppc64le.rpm	SHA-256: 9cf630a99db1a18515660b2d6c6a70bbce3f08126e7da98e4f67092048bd3c8a
firefox-debuginfo-140.9.1-1.el10_1.ppc64le.rpm	SHA-256: 8685218f75b5f1622c42225eb87187ac41fa9a4a5b7bd99f85893b962edebac4
firefox-debugsource-140.9.1-1.el10_1.ppc64le.rpm	SHA-256: 94baec79cd6b546422dcf46a46fcea0870ff960b33a2d873b64eeacab8d975f4

Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 10.2

SRPM
firefox-140.9.1-1.el10_1.src.rpm	SHA-256: cf6bd726a049914f45c5958951e72fad88fe48f708a2a9b040a183667025053e
s390x
firefox-140.9.1-1.el10_1.s390x.rpm	SHA-256: d8e2219ed7a39849071f134d122ce5dc8e3b0df852a6548751e271a2ac8ec14f
firefox-debuginfo-140.9.1-1.el10_1.s390x.rpm	SHA-256: ac6496a63f8ef31ad2e735d8477085c42f7754cc49fd3423fc2a3ea6838c02cb
firefox-debugsource-140.9.1-1.el10_1.s390x.rpm	SHA-256: 55056cda4335462723d2eac9ac35fb9b1937c10e19e24592ff07865d635be979

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation