DEBIAN-CVE-2026-4709

DEBIAN-CVE-2026-4709 PUBLISHED CVSS 7.5 HIGH

Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Debian:11	firefox-esr	128.4.0esr-1, 91.9.1, 91.9.1
Debian:13	thunderbird	140.6.0, 0, 1:128.13.0esr-1
Debian:11	thunderbird	1:78.14.0-1, 1:78.14.0-1~deb11u1, 1:78.14.0-1~deb9u1
Debian:14	thunderbird	128.14.0, 128.14.0, 129.0
Debian:12	firefox-esr	140.9.0, 102.11.0esr-1, 102.12.0esr-1~deb10u1
Debian:12	thunderbird	1:102.12.0-1~deb11u1, 1:130.0~b3-1, 1:129.0~b6-1
Debian:13	firefox-esr	0, 140.9.0, 140.9.0
Debian:14	firefox-esr	140.9.0, 0, 140.9.0

Timeline

Mar 24, 2026 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-4709 advisory

Open in Interactive Console →