Cyber Resilience

CVE-2026-2447

HighUpdated

Published: 16 February 2026

Published
16 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0045 36.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2447 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 36.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2447 is a heap buffer overflow vulnerability (CWE-122) in the libvpx multimedia library, which handles VP8 and VP9 video decoding. It affects Mozilla Firefox versions prior to 147.0.4, Firefox ESR prior to 140.7.1 and 115.32.1, Thunderbird prior to 140.7.2 and 147.0.2, and potentially other software using vulnerable libvpx instances. The issue carries a CVSS v3.1 base score of 8.8, reflecting high severity due to its potential for significant impact.

A remote attacker can exploit this vulnerability over the network with low complexity and no required privileges, but it necessitates user interaction, such as opening a maliciously crafted VPX video file or media stream in an affected browser or email client. Successful exploitation could result in high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution within the browser sandbox or renderer process.

Mozilla Security Advisories MFSA2026-10 and MFSA2026-11 detail patches in the listed Firefox and Thunderbird versions, recommending immediate upgrades. The Mozilla Bugzilla entry (bug 2014390) provides additional technical details on the fix. Debian LTS users are advised to update via the announcement at lists.debian.org/debian-lts-announce/2026/02/msg00028.html.

EU & UK References

Vulnerability details

Heap buffer overflow in libvpx. This vulnerability was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Heap buffer overflow in client-side media decoder (libvpx) directly enables T1203 Exploitation for Client Execution when a user opens a malicious VPX video file (T1204.002), leading to code execution in the renderer process.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1943Same product: Mozilla Firefox
CVE-2026-3845Same product: Mozilla Firefox
CVE-2025-1009Same product: Mozilla Firefox
CVE-2026-5731Same product: Mozilla Firefox
CVE-2026-8093Same product: Mozilla Firefox
CVE-2026-7324Same product: Mozilla Firefox
CVE-2026-0891Same product: Mozilla Firefox
CVE-2026-6752Same product: Mozilla Firefox
CVE-2025-1937Same product: Mozilla Firefox
CVE-2026-0884Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 115.32.1 · ≤ 147.0.4 · 116.0 — 140.7.1
mozilla
thunderbird
≤ 140.7.2 · 141.0 — 147.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of the heap buffer overflow flaw in libvpx as fixed in specified Firefox and Thunderbird versions.

detect

Enables scanning and monitoring to identify systems running vulnerable Firefox or Thunderbird versions affected by CVE-2026-2447.

prevent

Provides memory protections like ASLR and heap canaries to mitigate exploitation of the heap buffer overflow even on unpatched systems.

References