Mozilla has released an out-of-band security update to address a critical vulnerability affecting its browser. The update, issued as Firefox v147.0.4, resolves a high-impact Heap buffer overflow flaw in the libvpx video codec library. The issue is tracked under CVE-2026-2447 and was identified by security researcher jayjayjazz.
Although some users initially referenced Firefox v147 in discussions of the flaw, the patched build is officially version 147.0.4. Alongside this release, Mozilla also pushed updates for its Extended Support Release (ESR) channels: Firefox ESR 140.7.1 and Firefox ESR 115.32.1. The coordinated rollout reflects the seriousness of the vulnerability and its potential exposure across supported platforms.
Details of the Heap Buffer Overflow Vulnerability CVE-2026-2447
CVE-2026-2447 is classified as a Heap buffer overflow vulnerability in the libvpx library, which Firefox relies on to process VP8 and VP9 video formats. These codecs are widely used for web-based multimedia content.
A Heap buffer overflow occurs when software writes data beyond the bounds of allocated memory in the heap, the area of memory reserved for dynamic operations during runtime. When this happens, adjacent memory regions may be overwritten. In practical terms, attackers can exploit such behavior by supplying malformed or oversized input, such as specially crafted video data. If successful, the exploit can lead to arbitrary code execution, browser crashes, or even full system compromise.
In the case of CVE-2026-2447, malicious actors could embed exploit payloads within seemingly legitimate media streams or web pages. A victim might only need to visit a compromised or malicious website or open rigged video content for the Heap buffer overflow to be triggered. Because Firefox v147 and earlier affected builds handle video decoding automatically, exploitation could occur without obvious warning signs beyond routine browsing activity.
Mozilla classified CVE-2026-2447 as “high” severity. The advisory notes that the vulnerability carries a high impact rating, although a CVSS score was not listed at the time of disclosure.
Affected and Patched Versions
Mozilla confirmed the following version details:
- Firefox versions earlier than 147.0.4 are vulnerable; the issue is fixed in 147.0.4.
- Firefox ESR versions earlier than 140.7.1 are vulnerable; the issue is fixed in 140.7.1.
- Firefox ESR versions earlier than 115.32.1 are vulnerable; the issue is fixed in 115.32.1.
Users running Firefox v147 prior to the 147.0.4 patch are advised to update immediately. Enterprises maintaining ESR branches should prioritize deployment, as ESR editions are often used in managed corporate environments where delayed patching can increase exposure.
Exploitation Risk and Broader Context
At the time of disclosure, there were no confirmed reports of widespread exploitation in the wild. However, security experts note that Heap buffer overflow flaws are frequently targeted due to their reliability and potential for remote code execution. Because CVE-2026-2447 can be triggered remotely through malicious web content, it presents an attractive vector for drive-by attacks.
The libvpx library plays a central role in multimedia-heavy browsing sessions. As web platforms rely on embedded video and streaming formats such as VP8 and VP9, vulnerabilities in codec handling can have broad consequences. Past campaigns have highlighted how similar memory corruption flaws in media processing components can be weaponized quickly after public disclosure.
Update Guidance
Mozilla recommends that users update through the browser’s built-in mechanism by navigating to Help > About Firefox, which automatically checks for and installs updates. Alternatively, fresh installers can be obtained from Mozilla’s official website. Systems administrators overseeing ESR deployments should ensure that Firefox v147 environments and corresponding ESR branches are patched without delay.
The release of Firefox v147.0.4 highlights the ongoing need for timely patch management. CVE-2026-2447, rooted in a Heap buffer overflow within libvpx, highlights how low-level memory handling issues can cascade into high-severity security threats when embedded in widely used software.
