Red Hat Product Security issued an advisory (RHSA-2026:27733) for Firefox and Thunderbird addressing 29 CVEs related to sandbox escapes, information disclosure, memory safety bugs, mitigation bypasses, privilege escalation, denial-of-service, and incorrect boundary conditions across multiple components including DOM, process sandboxing, graphics (WebRender, ImageLib, CanvasWebGL), networking, and internationalization. The fixes are included in Firefox ESR 115.37, ESR 140.12, Firefox 152, Thunderbird ESR 140.12, and Thunderbird 152. The vulnerabilities impact Red Hat Enterprise Linux 10 and its extended update and life cycle support variants across multiple architectures. No CVSS scores are provided in the advisory, but the severity is rated as Important by Red Hat.

The vulnerabilities collectively allow attackers to escape sandbox restrictions, disclose sensitive information, escalate privileges, cause denial-of-service conditions, bypass mitigations, and exploit memory safety issues. These impacts could compromise browser and email client security, potentially enabling code execution or data leakage. The advisory does not report known exploits in the wild at the time of publication.

Red Hat has released security updates for Firefox and Thunderbird in Red Hat Enterprise Linux 10 and its variants that address these vulnerabilities. Users should apply the updates as described in the Red Hat advisory (RHSA-2026:27733) and the referenced update instructions (https://access.redhat.com/articles/11258). No additional mitigation steps are indicated beyond applying the official patches.