An emergency security update for Firefox ESR 140.10.1, patching four vulnerabilities, including two rated critical, that could allow attackers to execute arbitrary code and escape browser sandboxes on affected systems.
The patches, announced on April 28, 2026, under Security Advisory MFSA 2026-36, also extend fixes to Firefox ESR 115.35.1 and Firefox 150.0.1, reflecting the broad scope of memory safety issues discovered across multiple browser generations.
Security agencies, including the Canadian Center for Cyber Security, have already issued independent alerts urging immediate upgrades.
Firefox Extended Support Release (ESR) is Mozilla’s long-term support variant designed for enterprises, educational institutions, government networks, and organizations that require stability over rapid feature rollouts.
Because ESR deployments are typically widespread in corporate environments and receive updates slowly, vulnerabilities targeting ESR versions pose outsized risk; a single unpatched system can become a critical entry point for attackers.
CVE-2026-7322: Critical Memory Safety Bugs
Firefox ESR 140.10 was first offered to ESR channel users in April 2026, incorporating enterprise-focused enhancements introduced in Firefox 128. The 140.10.1 emergency patch release indicates that Mozilla identified post-release security gaps significant enough to warrant an out-of-band fix rather than waiting for the next scheduled cycle.
The most severe flaw in this advisory, CVE-2026-7322, is rated Critical and affects Firefox ESR 115.35.0, Firefox ESR 140.10.0, and Firefox 150.0.0. This vulnerability stems from memory safety bugs that showed clear evidence of memory corruption during testing.
Security advisory confirms that with sufficient effort, these bugs could be exploited to run arbitrary code in the context of the browser process. The vulnerability was fixed simultaneously across Firefox 150.0.1, Firefox ESR 140.10.1, and Firefox ESR 115.35.1, underscoring that the underlying bug class was shared across all three active Firefox branches.
CVE-2026-7323: High-Severity Memory Corruption
CVE-2026-7323, rated High, Affects Firefox ESR 140.10.0, Thunderbird ESR 140.10.0, Firefox 150.0.0, and Thunderbird 150.0.0. This vulnerability involves memory corruption triggered during the rendering of specially crafted web content, enabling remote attackers to execute arbitrary code.
The attack surface for CVE-2026-7323 is particularly concerning because it involves web content rendering, meaning a victim only needs to visit or be redirected to a malicious webpage for exploitation to occur. The fix is included in Firefox ESR 140.10.1 and Firefox 150.0.1.
CVE-2026-7321: Sandbox Escape via WebRTC Networking
CVE-2026-7321 is a sandbox escape vulnerability caused by incorrect boundary conditions in the WebRTC: Networking component. This flaw could allow an attacker who has already compromised the browser renderer process to break out of Firefox’s sandbox entirely, a critical privilege escalation step in a full exploitation chain.
Tenable’s CVE database classifies this vulnerability as Critical, noting it was fixed exclusively in Firefox ESR 140.10.1. WebRTC-based attack vectors are particularly dangerous in enterprise environments where real-time communication features are commonly enabled in browsers used for video conferencing and collaboration tools.
CVE-2026-7320: Information Disclosure
CVE-2026-7320, rated High, is an information disclosure vulnerability resulting from incorrect boundary conditions in the Audio/Video component.
This flaw could expose sensitive memory contents to an attacker, potentially leaking information such as memory layout addresses and data that could be weaponized to bypass ASLR (Address Space Layout Randomization) protections in a multi-stage attack. The fix was applied across Firefox 150.0.1, Firefox ESR 140.10.1, and Firefox ESR 115.35.1.
Remediation
Organizations and individual users are strongly urged to update to Firefox ESR 140.10.1 immediately via Help → About Firefox or through Mozilla’s enterprise software distribution systems.
Given that two of these CVEs enable arbitrary code execution and one enables a full sandbox escape, threat actors actively scanning for unpatched browser deployments could weaponize these vulnerabilities quickly.
FAQ
Q1. What is the most dangerous vulnerability in MFSA 2026-36?
CVE-2026-7322 and CVE-2026-7321 are the most dangerous CVEs. CVE-2026-7322 enables arbitrary code execution via memory corruption, while CVE-2026-7321 allows a complete browser sandbox escape through the WebRTC Networking component.
Q2. Is Firefox ESR 115 also affected?
Yes, CVE-2026-7322 and CVE-2026-7320 affect Firefox ESR 115.35.0, and both are patched in the updated Firefox ESR 115.35.1 release.
Q3. Do users need to do anything beyond updating Firefox?
Updating to the patched version (ESR 140.10.1, ESR 115.35.1, or Firefox 150.0.1) is sufficient; no additional configuration changes or workarounds are required or currently documented.
Q4. Are Thunderbird users also at risk from these vulnerabilities?
Yes, CVE-2026-7322 and CVE-2026-7323 also affect Thunderbird ESR 140.10.0 and Thunderbird 150.0.0, so Thunderbird users must apply the corresponding security patches.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.About the Author
