VDB
DEBIAN-CVE-2026-2447
DEBIAN-CVE-2026-2447
PUBLISHED
CVSS 8.800000190734863 HIGH
Heap buffer overflow in libvpx. This vulnerability was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2.
Risk Scores
CVSS v3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | thunderbird | 78.13.0-1, 78.13.0-1, 78.14.0-1 |
| Debian:13 | libvpx | 0, 1.15.0-2.1, 0 |
| Debian:14 | firefox-esr | 140.8.0, 140.7.0, 140.7.0 |
| Debian:12 | libvpx | 1.12.0-1, 1.12.0-1+deb12u3, 1.12.0-1 |
| Debian:13 | thunderbird | *, *, 1:140.6.0esr-1~deb13u1 |
| Debian:14 | libvpx | 0, 1.15.0-2.1, 1.15.2-1 |
| Debian:14 | thunderbird | 1:140.3.0esr-1~deb11u1, 1:140.3.0esr-1~deb13u1, 1:140.3.1esr-1 |
| Debian:11 | libvpx | 1.9.0-1, 1.9.0-1, 1.9.0-1 |
| Debian:12 | thunderbird | 120.0, 1:102.11.0-1, 1:102.12.0-1 |
| Debian:13 | firefox-esr | *, *, * |
| Debian:12 | firefox-esr | 0, 102.12.0esr-1, 102.12.0esr-1~deb11u1 |
| Debian:11 | firefox-esr | 140.4.0, 140.4.0, 140.4.0 |
Exploit Intelligence
- mfsa2026-10.yml (github-poc)
- 2026.xml (github-poc)
- 2026.xml (github-poc)
- patch-vp9_vp9__cx__iface.c (github-poc)
Timeline
- Feb 16, 2026 CVE Published
- Apr 28, 2026 CVE Updated