CVE-2026-2447
Published: 16 February 2026
Summary
CVE-2026-2447 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the heap buffer overflow flaw in libvpx as fixed in specified Firefox and Thunderbird versions.
Enables scanning and monitoring to identify systems running vulnerable Firefox or Thunderbird versions affected by CVE-2026-2447.
Provides memory protections like ASLR and heap canaries to mitigate exploitation of the heap buffer overflow even on unpatched systems.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in client-side media decoder (libvpx) directly enables T1203 Exploitation for Client Execution when a user opens a malicious VPX video file (T1204.002), leading to code execution in the renderer process.
NVD Description
Heap buffer overflow in libvpx. This vulnerability was fixed in Firefox 147.0.4, Firefox ESR 140.7.1, Firefox ESR 115.32.1, Thunderbird 140.7.2, and Thunderbird 147.0.2.
Deeper analysisAI
CVE-2026-2447 is a heap buffer overflow vulnerability (CWE-122) in the libvpx multimedia library, which handles VP8 and VP9 video decoding. It affects Mozilla Firefox versions prior to 147.0.4, Firefox ESR prior to 140.7.1 and 115.32.1, Thunderbird prior to 140.7.2 and 147.0.2, and potentially other software using vulnerable libvpx instances. The issue carries a CVSS v3.1 base score of 8.8, reflecting high severity due to its potential for significant impact.
A remote attacker can exploit this vulnerability over the network with low complexity and no required privileges, but it necessitates user interaction, such as opening a maliciously crafted VPX video file or media stream in an affected browser or email client. Successful exploitation could result in high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution within the browser sandbox or renderer process.
Mozilla Security Advisories MFSA2026-10 and MFSA2026-11 detail patches in the listed Firefox and Thunderbird versions, recommending immediate upgrades. The Mozilla Bugzilla entry (bug 2014390) provides additional technical details on the fix. Debian LTS users are advised to update via the announcement at lists.debian.org/debian-lts-announce/2026/02/msg00028.html.
Details
- CWE(s)