Updated nspr, nss and firefox(-l10n) packages fix security issues
Publication date: 29 May 2026Modification date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8388 , CVE-2026-8391 , CVE-2026-8401 , CVE-2026-8946 , CVE-2026-8947 , CVE-2026-8950 , CVE-2026-8953 , CVE-2026-8954 , CVE-2026-8955 , CVE-2026-8956 , CVE-2026-8957 , CVE-2026-8958 , CVE-2026-8961 , CVE-2026-8962 , CVE-2026-8968 , CVE-2026-8970 , CVE-2026-8974 , CVE-2026-8975
Description
The updated packages fix security vulnerabilities:
Incorrect boundary conditions in the Audio/Video: Web Codecs component.
(CVE-2026-8946)
Incorrect boundary conditions in the JavaScript Engine: JIT component.
(CVE-2026-8388)
Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-8947)
Other issue in the JavaScript Engine component. (CVE-2026-8391)
Sandbox escape in the Profile Backup component. (CVE-2026-8401)
Same-origin policy bypass in the Networking: HTTP component.
(CVE-2026-8950)
Sandbox escape due to use-after-free in the Disability Access APIs
component. (CVE-2026-8953)
Incorrect boundary conditions, integer overflow in the Audio/Video
component. (CVE-2026-8954)
Privilege escalation in the DOM: Workers component. (CVE-2026-8955)
Integer overflow in the Networking: JAR component. (CVE-2026-8956)
Privilege escalation in the Enterprise Policies component.
(CVE-2026-8957)
Information disclosure, sandbox escape in the Security: Process
Sandboxing component. (CVE-2026-8958)
Spoofing issue in the Form Autofill component. (CVE-2026-8961)
Mitigation bypass in the DOM: Security component. (CVE-2026-8962)
Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs
component. (CVE-2026-8968)
Privilege escalation in the Security component. (CVE-2026-8970)
Memory safety bugs fixed in Firefox ESR 140.11 and Firefox 151.
(CVE-2026-8974)
Memory safety bugs fixed in Firefox ESR 115.36, Firefox ESR 140.11 and
Firefox 151. (CVE-2026-8975)
References
- https://bugs.mageia.org/show_bug.cgi?id=35555
- https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/S3z0rOO1xpg
- https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_124.html
- https://www.firefox.com/en-US/firefox/140.11.0/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2026-48/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8388
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8391
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8401
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8946
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8947
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8950
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8953
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8954
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8955
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8956
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8957
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8958
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8961
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8962
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8968
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8970
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8974
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8975
SRPMS
9/core
- nspr-4.39.0-1.mga9
- nss-3.124.0-1.mga9
- firefox-140.11.0-1.mga9
- firefox-l10n-140.11.0-1.mga9