This Red Hat security advisory addresses multiple vulnerabilities in Mozilla Firefox and associated libraries on Red Hat Enterprise Linux 10. The fixed issues include a use-after-free vulnerability in libpng (CVE-2026-33416) that could lead to arbitrary code execution, out-of-bounds read/write in libpng's Neon palette expansion causing information disclosure and denial of service (CVE-2026-33636), memory safety bugs in Firefox and Thunderbird (CVE-2026-5731 and CVE-2026-5734), and an integer overflow in the graphics text component (CVE-2026-5732). These vulnerabilities affect Firefox ESR 140.9.1, Firefox 149.0.2, Thunderbird ESR 140.9.1, and Thunderbird 149.0.2. Red Hat has released updated packages to remediate these issues across multiple architectures including x86_64, s390x, ppc64le, and aarch64. The advisory is classified as Important by Red Hat Product Security.

The vulnerabilities fixed include arbitrary code execution, information disclosure, denial of service, memory safety bugs, and integer overflow issues. These could potentially allow attackers to execute code, cause application crashes, or leak sensitive information via the affected Firefox and Thunderbird versions on Red Hat Enterprise Linux 10. The advisory does not report any known exploits in the wild at this time.

Red Hat has released updated Firefox packages for Red Hat Enterprise Linux 10 that address these vulnerabilities. Users should apply the provided security updates as detailed in the Red Hat advisory RHSA-2026:7672 and the referenced article https://access.redhat.com/articles/11258. Applying these official patches is the recommended and effective mitigation. No additional vendor-recommended mitigations or workarounds are indicated.