{
  "schema_version": "1.7.0",
  "id": "MGASA-2026-0242",
  "published": "2026-07-13T21:24:46Z",
  "modified": "2026-07-13T19:48:24Z",
  "summary": "Updated firefox, firefox-l10n, rootcerts, nss packages fix security vulnerabilities",
  "details": "The updated packages fix security vulnerabilities:\nPrivilege escalation in the Graphics: WebRender component.\n(CVE-2026-12289)\nMemory safety bug fixed in Firefox ESR 140.12. (CVE-2026-12290)\nUse-after-free in the Networking: HTTP component. (CVE-2026-12291)\nIncorrect boundary conditions in the Web Audio component.\n(CVE-2026-12292)\nSandbox escape in the DOM: Workers component. (CVE-2026-12294)\nSandbox escape in the DOM: Navigation component. (CVE-2026-12295)\nMemory safety bug fixed in Firefox ESR 140.12. (CVE-2026-12298)\nSandbox escape in the Security: Process Sandboxing component.\n(CVE-2026-12296)\nSandbox escape due to incorrect boundary conditions in the Networking\ncomponent. (CVE-2026-12297)\nJIT miscompilation in the DOM: Core & HTML component. (CVE-2026-12299)\nMemory safety bug fixed in Firefox ESR 140.12. (CVE-2026-12329)\nMitigation bypass in the DOM: Security component. (CVE-2026-12302)\nSame-origin policy bypass in the Networking: Cookies component.\n(CVE-2026-12304)\nMemory safety bug fixed in Firefox ESR 140.12. (CVE-2026-12305)\nMemory safety bug fixed in Firefox ESR 140.12. (CVE-2026-12306)\nMemory safety bug fixed in Firefox ESR 140.12. (CVE-2026-12307)\nMemory safety bug fixed in Firefox ESR 140.12. (CVE-2026-12308)\nMemory safety bug fixed in Firefox ESR 140.12. (CVE-2026-12309)\nMemory safety bug fixed in Firefox ESR 140.12. (CVE-2026-12310)\nInformation disclosure, sandbox escape in the Security: Process\nSandboxing component. (CVE-2026-12311)\nMemory safety bug fixed in Firefox ESR 140.12. (CVE-2026-12312)\nInformation disclosure, sandbox escape in the Security: Process\nSandboxing component. (CVE-2026-12313)\nMemory safety bug fixed in Firefox ESR 140.12. (CVE-2026-12314)\nMitigation bypass in the DOM: Security component. (CVE-2026-12315)\nIncorrect boundary conditions in the Internationalization component.\n(CVE-2026-12330)\nIncorrect boundary conditions in the Graphics: CanvasWebGL component.\n(CVE-2026-12324)\nDenial-of-service in the Graphics: ImageLib component. (CVE-2026-12325)\nMemory safety bugs fixed in Firefox ESR 140.12, Thunderbird ESR 140.12,\nFirefox 152 and Thunderbird 152. (CVE-2026-12327)\nMemory safety bugs fixed in Firefox ESR 115.37, Firefox ESR 140.12,\nThunderbird ESR 140.12, Firefox 152 and Thunderbird 152.\n(CVE-2026-12328)\n",
  "upstream": [
    "CVE-2026-12289",
    "CVE-2026-12290",
    "CVE-2026-12291",
    "CVE-2026-12292",
    "CVE-2026-12294",
    "CVE-2026-12295",
    "CVE-2026-12296",
    "CVE-2026-12297",
    "CVE-2026-12298",
    "CVE-2026-12299",
    "CVE-2026-12302",
    "CVE-2026-12304",
    "CVE-2026-12305",
    "CVE-2026-12306",
    "CVE-2026-12307",
    "CVE-2026-12308",
    "CVE-2026-12309",
    "CVE-2026-12310",
    "CVE-2026-12311",
    "CVE-2026-12312",
    "CVE-2026-12313",
    "CVE-2026-12314",
    "CVE-2026-12315",
    "CVE-2026-12324",
    "CVE-2026-12325",
    "CVE-2026-12327",
    "CVE-2026-12328",
    "CVE-2026-12329",
    "CVE-2026-12330"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2026-0242.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=35715"
    },
    {
      "type": "WEB",
      "url": "https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_125.html"
    },
    {
      "type": "WEB",
      "url": "https://www.firefox.com/en-US/firefox/140.12.0/releasenotes/"
    },
    {
      "type": "ADVISORY",
      "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2026-58/"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:10",
        "name": "rootcerts",
        "purl": "pkg:rpm/mageia/rootcerts?arch=source&distro=mageia-10"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20260611.00-1.mga10"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:10",
        "name": "nss",
        "purl": "pkg:rpm/mageia/nss?arch=source&distro=mageia-10"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.125.0-1.mga10"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:10",
        "name": "firefox",
        "purl": "pkg:rpm/mageia/firefox?arch=source&distro=mageia-10"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "140.12.0-1.mga10"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:10",
        "name": "firefox-l10n",
        "purl": "pkg:rpm/mageia/firefox-l10n?arch=source&distro=mageia-10"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "140.12.0-1.mga10"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:9",
        "name": "rootcerts",
        "purl": "pkg:rpm/mageia/rootcerts?arch=source&distro=mageia-9"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20260611.00-1.mga9"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:9",
        "name": "nss",
        "purl": "pkg:rpm/mageia/nss?arch=source&distro=mageia-9"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.125.0-1.mga9"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:9",
        "name": "firefox",
        "purl": "pkg:rpm/mageia/firefox?arch=source&distro=mageia-9"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "140.12.0-1.mga9"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:9",
        "name": "firefox-l10n",
        "purl": "pkg:rpm/mageia/firefox-l10n?arch=source&distro=mageia-9"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "140.12.0-1.mga9"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}
