Firefox 147 Released With Fixes for 16 Vulnerabilities that Enable Arbitrary Code Execution

Mozilla released Firefox 147 on January 13, 2026, addressing 16 security vulnerabilities detailed in the Mozilla Foundation Security Advisory.

The update patches critical issues across components such as graphics, JavaScript, and networking, addressing six high-impact flaws, including multiple sandbox escapes, that could enable arbitrary code execution if exploited.

These fixes also apply to Firefox ESR 140.7 and Thunderbird ESR 140.7/147, urging users to update immediately amid rising browser-targeted attacks.

The release counters sophisticated threats uncovered through bug reports and fuzzing. High-severity vulnerabilities dominate, particularly sandbox escapes in graphics and messaging systems, reported largely by researcher Oskar L.

Memory safety bugs in CVE-2026-0891 and CVE-2026-0892 showed evidence of corruption and are likely exploitable with effort. No active exploitation has been confirmed, but the cluster of graphics flaws highlights ongoing risks in WebGL and Canvas rendering.

High-Impact Sandbox Escapes and Memory Corruption

Several vulnerabilities enable sandbox escapes, breaching Firefox’s isolation mechanisms. CVE-2026-0877 allows DOM mitigation bypass, while CVE-2026-0878 through CVE-2026-0880 exploit boundary conditions and integer overflows in Graphics and CanvasWebGL.

CVE-2026-0881 targets the Messaging System. A use-after-free in IPC (CVE-2026-0882) adds to the tally. These high-impact issues, fixed in version 147, could let attackers run code outside sandboxed contexts.

CVE ID	Description/Component	Impact	Reporter(s)
CVE-2026-0877	Mitigation bypass in the DOM: Security component	High	mingijung
CVE-2026-0878	Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component	High	Oskar L
CVE-2026-0879	Sandbox escape due to incorrect boundary conditions in the Graphics component	High	Oskar L
CVE-2026-0880	Sandbox escape due to integer overflow in the Graphics component	High	Oskar L
CVE-2026-0881	Sandbox escape in the Messaging System component	High	Andrew McCreight
CVE-2026-0882	Use-after-free in the IPC component	High	Randell Jesup
CVE-2026-0883	Information disclosure in the Networking component	Moderate	Vladislav Plyatsok
CVE-2026-0884	Use-after-free in the JavaScript Engine component	Moderate	Gary Kwong and Nan Wang
CVE-2026-0885	Use-after-free in the JavaScript: GC component	Moderate	Irvan Kurniawan
CVE-2026-0886	Incorrect boundary conditions in the Graphics component	Moderate	Oskar L
CVE-2026-0887	Clickjacking issue, information disclosure in the PDF Viewer component	Moderate	Lyra Rebane
CVE-2026-0888	Information disclosure in the XML component	Low	Pier Angelo Vendrame
CVE-2026-0889	Denial-of-service in the DOM: Service Workers component	Low	Elysee Franchuk, Caleb Lerch
CVE-2026-0890	Spoofing issue in the DOM: Copy & Paste and Drag & Drop component	Low	Edgar Chen
CVE-2026-0891	Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147	High	Andrew McCreight, Dennis Jackson and the Mozilla Fuzzing Team

Mozilla’s fuzzing team identified memory safety bugs fixed in CVE-2026-0891 (affecting ESR 140.6, Firefox 146, Thunderbird 146) and CVE-2026-0892 (Firefox/Thunderbird 146). Bugs like 1964722 and 2004443 exhibited corruption patterns ripe for exploitation.

Organizations should prioritize updates via Firefox’s auto-updater or admin consoles.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Firefox 147 Released With Fixes for 16 Vulnerabilities that Enable Arbitrary Code Execution appeared first on Cyber Security News.