This advisory covers multiple vulnerabilities in Mozilla Firefox and Thunderbird as packaged in Red Hat Enterprise Linux 8.6. The issues include a use-after-free vulnerability in libpng (CVE-2026-33416) that could lead to arbitrary code execution, out-of-bounds read/write in libpng's Neon palette expansion causing information disclosure and denial of service (CVE-2026-33636), memory safety bugs fixed in Firefox and Thunderbird ESR and standard releases (CVE-2026-5731, CVE-2026-5734), and an integer overflow in the graphics text component (CVE-2026-5732). Red Hat has released updated packages (firefox-140.9.1-1.el8_6) that address these vulnerabilities. The advisory rates the security impact as Important (high) and provides instructions for applying the update. No known exploits in the wild have been reported at this time.

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, cause denial of service, or disclose sensitive information via the affected Firefox and Thunderbird components. The use-after-free and memory safety bugs pose risks of code execution and application crashes. The integer overflow could lead to incorrect boundary handling in graphics rendering. The vulnerabilities affect multiple components including libpng and the graphics text component within Firefox and Thunderbird. Red Hat rates the overall security impact as Important (high). There are no reports of active exploitation in the wild.

Red Hat has released security updates for Firefox and Thunderbird in Red Hat Enterprise Linux 8.6 variants that address these vulnerabilities. Users should apply the Firefox update version 140.9.1-1.el8_6 or later as provided by Red Hat via official channels. Detailed update instructions are available at https://access.redhat.com/articles/11258. Applying these updates will remediate the described vulnerabilities. No additional mitigation steps are indicated by the vendor advisory.