On February 16, 2026, Mozilla released an urgent security update for Firefox that addressed a high-severity heap buffer overflow in the libvpx video codec library This article explores vulnerable versions firefox. . The VP8 and VP9 video processing formats, which Firefox uses extensively on desktop and mobile platforms, are affected by this vulnerability, which is tracked as CVE-2026-2447.

After security researcher Jayjayjazz identified the problem, Firefox 147.0.4, Firefox ESR 140.7.1, and Firefox ESR 115.32.1 all received speedy patches. When software writes data beyond the allocated memory buffer in the heap, the dynamic memory area that programs use during runtime, this is known as a heap buffer overflow. Attackers can take advantage of this by overwriting nearby memory with oversized or distorted video data.

Without the user doing anything more than visiting a malicious website or watching manipulated video, this results in arbitrary code execution, browser crashes, or complete system compromise. Through carefully constructed webpages, remote hackers could take advantage of it by inserting exploit payloads into seemingly harmless media streams. According to Mozilla's MFSA 2026-10 advisory, CVE-2026-2447 poses a high-impact risk to millions of Windows, macOS, and Linux users.

Although there are currently no widely used exploits in the wild, drive-by attacks are likely to target the vulnerability due to its ease of remote triggering.

CVE ID CVSS Score Severity Description CVE-2026-2447 N/A High Heap buffer overflow impacting video processing in the libvpx library Versions Affected and Patched Vulnerable Versions of Firefox Edition Patched Version of Firefox < 147.0.4 147.0.4 Firefox ESR < 140.7.1 Firefox ESR < 115.32.1 115.32.1 Firefox checks and applies patches automatically, so users should update right away using the Help > About Firefox menu. As an alternative, get new installers from Mozilla's website. To prevent exposure, enterprises in charge of ESR branches must give deployment top priority.

This release emphasizes the importance of libvpx in browsing that involves a lot of multimedia and the necessity of careful patching. Previous campaigns, such as those aimed at media players, have been fueled by similar overflows. Enable auto-updates and keep an eye on CISA alerts to stay ahead of the game. Make ZeroOwl your preferred source in Google