This Red Hat security advisory addresses a collection of 29 vulnerabilities in Mozilla Firefox and Thunderbird, including sandbox escapes in DOM and Security Process Sandboxing components, information disclosure, memory safety bugs, JIT miscompilation, mitigation bypasses, privilege escalation in the Graphics WebRender component, denial-of-service in the Graphics ImageLib component, incorrect boundary conditions in multiple components, same-origin policy bypass, and use-after-free in networking components. The update fixes these issues in Firefox ESR 115.37, ESR 140.12, Firefox 152, Thunderbird ESR 140.12, and Thunderbird 152. The advisory applies to Red Hat Enterprise Linux 9 and its extended update support versions on multiple architectures. The vendor has released patches to address these vulnerabilities.

The vulnerabilities fixed include sandbox escapes that could allow code execution outside of intended security boundaries, information disclosure that could leak sensitive data, memory safety bugs that could lead to crashes or code execution, mitigation bypasses that reduce the effectiveness of security controls, privilege escalation allowing higher privileges than intended, denial-of-service conditions, and bypasses of same-origin policy potentially enabling cross-origin attacks. These issues collectively pose a high security risk to users of affected Firefox and Thunderbird versions on Red Hat Enterprise Linux 9 systems.

Red Hat has released security updates addressing these vulnerabilities in Firefox and Thunderbird for Red Hat Enterprise Linux 9 and its extended update support versions. Users should apply the updates as described in the Red Hat advisory RHSA-2026:27734 and the referenced article https://access.redhat.com/articles/11258 to remediate these issues. Patch status is confirmed with official fixes available from Red Hat.