Mozilla Patches High-Severity Firefox Vulnerability in libvpx Video Codec
On February 16, 2026, Mozilla released an urgent security update for Firefox to address a high-severity heap buffer overflow vulnerability (CVE-2026-2447) in the libvpx video codec library. The flaw affects video processing for VP8 and VP9 formats, which are widely used across Firefox’s desktop and mobile platforms.
Discovered by security researcher Jayjayjazz, the vulnerability allows attackers to exploit malformed or oversized video data, potentially leading to arbitrary code execution, browser crashes, or full system compromise. Exploitation requires no user interaction beyond visiting a malicious website or playing rigged video content, making it a prime target for drive-by attacks.
The issue stems from a heap buffer overflow, where data is written past the allocated memory buffer in the heap, enabling attackers to overwrite adjacent memory. Remote hackers could leverage this by embedding exploit payloads in seemingly innocuous media streams.
Mozilla rated the vulnerability as high-impact in its MFSA 2026-10 advisory, warning of risks to millions of users on Windows, macOS, and Linux. While no active exploits have been reported in the wild, the ease of remote triggering heightens the threat.
Affected and Patched Versions:
- Firefox < 147.0.4 → Patched in 147.0.4
- Firefox ESR < 140.7.1 → Patched in 140.7.1
- Firefox ESR < 115.32.1 → Patched in 115.32.1
The update underscores the critical role of libvpx in multimedia-heavy browsing and the importance of timely patching, as similar vulnerabilities have been exploited in past campaigns targeting media players.
Source: https://cyberpress.org/mozilla-firefox-v147-0-3-released/
Mozilla TPRM report: https://www.rankiteo.com/company/mozilla-corporation
"id": "moz1771331136",
"linkid": "mozilla-corporation",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Millions of users',
'industry': 'Technology',
'location': 'Global',
'name': 'Mozilla Firefox',
'type': 'Software'}],
'attack_vector': 'Malicious website or rigged video content',
'customer_advisories': 'Users advised to update Firefox to the latest version',
'date_publicly_disclosed': '2026-02-16',
'date_resolved': '2026-02-16',
'description': 'On February 16, 2026, Mozilla released an urgent security '
'update for Firefox to address a high-severity heap buffer '
'overflow vulnerability (CVE-2026-2447) in the libvpx video '
'codec library. The flaw affects video processing for VP8 and '
'VP9 formats, which are widely used across Firefox’s desktop '
'and mobile platforms. The vulnerability allows attackers to '
'exploit malformed or oversized video data, potentially '
'leading to arbitrary code execution, browser crashes, or full '
'system compromise. Exploitation requires no user interaction '
'beyond visiting a malicious website or playing rigged video '
'content, making it a prime target for drive-by attacks.',
'impact': {'operational_impact': 'Potential arbitrary code execution, browser '
'crashes, or full system compromise',
'systems_affected': 'Firefox desktop and mobile platforms '
'(Windows, macOS, Linux)'},
'investigation_status': 'Resolved',
'lessons_learned': 'The incident underscores the critical role of libvpx in '
'multimedia-heavy browsing and the importance of timely '
'patching, as similar vulnerabilities have been exploited '
'in past campaigns targeting media players.',
'post_incident_analysis': {'corrective_actions': 'Patching the vulnerability '
'and releasing security '
'updates for affected '
'Firefox versions',
'root_causes': 'Heap buffer overflow in libvpx '
'video codec library due to '
'improper handling of malformed or '
'oversized video data'},
'recommendations': 'Users should update to the latest patched versions of '
'Firefox (147.0.4, ESR 140.7.1, ESR 115.32.1) to mitigate '
'the risk of exploitation.',
'references': [{'source': 'Mozilla Security Advisory'}],
'response': {'communication_strategy': 'MFSA 2026-10 advisory',
'containment_measures': 'Security update released (Firefox '
'147.0.4, ESR 140.7.1, ESR 115.32.1)',
'remediation_measures': 'Patching the heap buffer overflow '
'vulnerability in libvpx'},
'stakeholder_advisories': 'MFSA 2026-10 advisory',
'title': 'Mozilla Patches High-Severity Firefox Vulnerability in libvpx Video '
'Codec',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-2447 (Heap buffer overflow in libvpx '
'video codec)'}