What happened
Mozilla released Firefox version 147.0.3 to address a high-severity heap buffer overflow vulnerability in the browser’s media processing library. The flaw, tracked as CVE-2026-2447, was discovered in the libvpx video codec library and could be triggered when users visit malicious websites containing specially crafted video content. Successful exploitation could cause memory corruption and allow attackers to execute arbitrary code on affected systems. Mozilla fixed the issue by strengthening memory handling and validation controls in libvpx, and released patched versions including Firefox 147.0.4 and updated Extended Support Release versions.
Who is affected
Users and organizations running vulnerable versions of Mozilla Firefox, including desktop and Extended Support Release deployments, are affected if they have not applied the latest security updates.
Why CISOs should care
The vulnerability affects a widely used enterprise browser, where exploitation through malicious web content could allow attackers to execute code and compromise systems used for corporate access and sensitive workflows.
3 practical actions
- Update Firefox immediately. Deploy Firefox 147.0.4 or later to remediate CVE-2026-2447.
- Audit browser deployment versions. Identify systems running outdated Firefox releases that remain vulnerable.
- Ensure automatic browser updates are enabled. This allows systems to receive future security fixes promptly.