firefox-140.7.0-1.el9_7.ML.1

エラータID: AXSA:2026-053:01

Release date: 
Wednesday, January 21, 2026 - 11:59
Subject: 
firefox-140.7.0-1.el9_7.ML.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

* firefox: Spoofing issue in the Downloads Panel component (CVE-2025-14327)
* firefox: Use-after-free in the JavaScript: GC component (CVE-2026-0885)
* firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 (CVE-2026-0891)
* firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component (CVE-2026-0878)
* firefox: Use-after-free in the IPC component (CVE-2026-0882)
* firefox: Use-after-free in the JavaScript Engine component (CVE-2026-0884)
* firefox: Information disclosure in the Networking component (CVE-2026-0883)
* firefox: Mitigation bypass in the DOM: Security component (CVE-2026-0877)
* firefox: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component (CVE-2026-0890)
* firefox: Clickjacking issue, information disclosure in the PDF Viewer component (CVE-2026-0887)
* firefox: Sandbox escape due to incorrect boundary conditions in the Graphics component (CVE-2026-0879)
* firefox: Sandbox escape due to integer overflow in the Graphics component (CVE-2026-0880)
* firefox: Incorrect boundary conditions in the Graphics component (CVE-2026-0886)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-14327
Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146, Thunderbird < 146, Firefox ESR < 140.7, and Thunderbird < 140.7.
CVE-2026-0877
Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0878
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0879
Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0880
Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0882
Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0883
Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0884
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0885
Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0886
Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0887
Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0890
Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0891
Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.

Solution: 

Update packages.

CVEs: 
CVE-2025-14327
Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146, Thunderbird < 146, Firefox ESR < 140.7, and Thunderbird < 140.7.
CVE-2026-0877
Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0878
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0879
Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0880
Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0882
Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0883
Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0884
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0885
Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0886
Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0887
Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0890
Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
CVE-2026-0891
Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
Additional Info: 

N/A

Download: 

SRPMS
  1. firefox-140.7.0-1.el9_7.ML.1.src.rpm
    MD5: 95a0b542943adaada2b7627e0a3ecdbd
    SHA-256: 9167c3c4caa241ed4c0faffcb01700505c2f5e96e74fbbc3aeca6d9a6993043a
    Size: 0.99 GB

Asianux Server 9 for x86_64
  1. firefox-140.7.0-1.el9_7.ML.1.x86_64.rpm
    MD5: 6c58280552ed6400c662772d793be92d
    SHA-256: a087366b15cc643a2ebf152ace4ba943864126d8b2d536ca0003c5594d194e05
    Size: 114.87 MB
  2. firefox-x11-140.7.0-1.el9_7.ML.1.x86_64.rpm
    MD5: aa1597d2f8af5cdc72febcb2f9355bfd
    SHA-256: 6044ba2912fbcd1e11c183f8655c82c56df87cdd6a1b26ee4bc37141aef0f25c
    Size: 13.11 kB