Mozilla Foundation Security Advisory 2026-01: Security Vulnerabilities Fixed in Firefox 147

CyberDefender 6 mins0

On January 13, 2026, Mozilla announced the release of Firefox version 147, which addresses a wide range of security issues in earlier versions of the browser. These vulnerabilities vary in severity—from low to high—and cover numerous internal components of Firefox, including the browser engine, graphics subsystem, networking stack, and more. Users and administrators are strongly advised to update to the latest Firefox version to protect against these flaws.

Overview of the Advisory

  • Advisory: Mozilla Foundation Security Advisory 2026-01
  • Title: Security Vulnerabilities fixed in Firefox 147
  • Announcement Date: January 13, 2026
  • Impact: High (among others)
  • Affected Product: Mozilla Firefox (all affected versions prior to 147)
  • Fixed in: Firefox 147

This advisory is part of Mozilla’s ongoing effort to keep its browser secure by releasing timely updates and fixing newly discovered vulnerabilities. Each listed issue is tracked with a CVE identifier and is categorized based on impact.

Security Vulnerabilities Addressed in Firefox 147

High-Severity Issues

High-severity vulnerabilities are those that could allow attackers to bypass security protections, escape isolation mechanisms, or potentially execute arbitrary code. Firefox 147 includes fixes for several such critical issues:

  1. CVE-2026-0877 – Mitigation Bypass in the DOM Security Component
    A flaw in the Document Object Model (DOM) could allow a security mitigation to be bypassed, enabling more advanced attacks.
  2. CVE-2026-0878 – Sandbox Escape in CanvasWebGL Graphics Component
    Incorrect boundary conditions in the WebGL graphics subsystem could allow code running inside Firefox’s sandbox to escape it.
  3. CVE-2026-0879 – Sandbox Escape in Graphics Component
    Similar to the previous issue, this graphics-related flaw could allow untrusted content to break out of restricted execution.
  4. CVE-2026-0880 – Sandbox Escape due to Integer Overflow
    An integer overflow in the graphics subsystem may be exploited to achieve sandbox escape.
  5. CVE-2026-0881 – Sandbox Escape in Messaging System Component
    Vulnerabilities in the internal messaging functionality could allow privilege escalation.
  6. CVE-2026-0882 – Use-After-Free in IPC Component
    A classic memory management bug—use-after-free—exists in Firefox’s inter-process communication (IPC) code, which could lead to control over execution by an attacker.
  7. CVE-2026-0891 – Memory Safety Bugs (High Impact)
    Multiple memory safety issues present in older versions showed evidence of memory corruption and could potentially be exploited to run arbitrary code.

Moderate to Lower Impact Issues

Several vulnerabilities that pose moderate or lower risk were also fixed:

  • CVE-2026-0883 – Information Disclosure (Networking Component)
    Could allow sensitive data exposure via networking code.
  • CVE-2026-0884 & CVE-2026-0885 – Use-After-Free in JavaScript Engine and GC
    These bugs stem from the JavaScript engine and garbage collector, which could cause crashes or unexpected behavior.
  • CVE-2026-0886 – Incorrect Boundary Conditions in Graphics
    Graphics rendering logic could be misused due to improper input checks.
  • CVE-2026-0887 – Clickjacking and Info Disclosure in PDF Viewer
    A clickjacking vulnerability and potential information disclosure affect the built-in PDF viewer.
  • CVE-2026-0888 – Information Disclosure in XML Component
    A lesser-risk flaw in XML parsing that might leak information.
  • CVE-2026-0889 – Denial-of-Service in DOM Service Workers
    A bug could allow remote actors to cause a denial-of-service through faulty service worker logic.
  • CVE-2026-0890 – Spoofing via Drag & Drop/Copy-Paste
    A spoofing issue where malicious content might deceive users during drag & drop or copy-paste actions.

Why These Fixes Matter

Many of the vulnerabilities fixed in Firefox 147 relate to memory safety and sandbox escape, two of the most dangerous categories of software bugs. Exploiting these could allow attackers to break out of browser security restrictions, execute code, or access sensitive user data. Reports and external trackers have noted that some of these bugs showed evidence of exploitable memory corruption, meaning they could lead to arbitrary code execution with enough effort.

Recommendations for Users

Mozilla strongly recommends that all Firefox users update immediately to version 147 to receive these important security fixes. Running an outdated version leaves the browser susceptible to known exploits. Users should also ensure that Firefox ESR (Extended Support Release) and related Mozilla products receive corresponding updates.

CyberDefender