Red Hat Product Security released an important security update for Firefox and Thunderbird fixing 29 CVEs that include sandbox escapes in DOM and process sandboxing components, information disclosure, memory safety bugs, mitigation bypasses, privilege escalation in the WebRender graphics component, denial-of-service in the ImageLib graphics component, use-after-free in networking HTTP, same-origin policy bypass in networking cookies, and incorrect boundary conditions in multiple components. These vulnerabilities affect Firefox ESR 115.37, ESR 140.12, Firefox 152, Thunderbird ESR 140.12, and Thunderbird 152. The advisory references Red Hat Enterprise Linux 8 and its extended life cycle variants as affected products. The update is rated as important by Red Hat and addresses critical security issues in the browser and email client.

The vulnerabilities collectively allow for sandbox escapes, privilege escalation, information disclosure, denial-of-service, and memory safety issues in Firefox and Thunderbird. These could enable attackers to bypass security mitigations, escalate privileges, leak sensitive information, or cause application crashes. The presence of sandbox escapes and mitigation bypasses indicates potential for attackers to break out of restricted execution environments, increasing risk severity. However, no known exploits in the wild have been reported at this time.

Red Hat has released security updates for Firefox and Thunderbird as part of Red Hat Enterprise Linux 8 and its extended life cycle versions. Users should apply these official updates promptly to remediate the vulnerabilities. For detailed update instructions, refer to Red Hat's advisory at https://access.redhat.com/articles/11258. No additional mitigation steps are indicated beyond applying the vendor-provided patches.