Firefox 147 Fixes 16 Vulnerabilities Including Sandbox Escapes

Mozilla released Firefox 147 on January 21, addressing 16 security vulnerabilities across the browser's graphics systems, JavaScript engine, and networking functionality. Six of the flaws carry high severity ratings, with several enabling sandbox escapes that could lead to arbitrary code execution on affected systems.

The security updates also apply to Firefox ESR 115.32 and Firefox ESR 140.7, extending protection to enterprise deployments running extended support versions.

High-Severity Vulnerabilities

The most concerning flaws involve sandbox escapes—attacks that break out of Firefox's security isolation to execute code with higher privileges.

CVE-2026-0884 affects the JavaScript engine and involves a use-after-free condition. This class of vulnerability occurs when the browser continues to reference memory after it's been freed, allowing attackers to potentially hijack execution flow.

CVE-2026-0885 is another use-after-free in Firefox's garbage collection (GC) component. Memory corruption during garbage collection can be particularly dangerous because GC operations run frequently and interact with many browser components.

CVE-2026-0886 involves incorrect boundary conditions in the graphics component. Boundary violations can lead to buffer overflows, a well-understood path to code execution.

Both CVE-2026-0891 and CVE-2026-0892 address memory safety bugs fixed across multiple Firefox versions. Memory safety issues represent a broad category that includes buffer overflows, use-after-free conditions, and type confusion—all potentially exploitable for code execution.

Other Notable Fixes

Beyond the high-severity flaws, the update addresses:

• CVE-2026-0883: Information disclosure in the networking component
• CVE-2026-0887: Clickjacking and information disclosure in the PDF viewer
• CVE-2026-0889: Denial-of-service in Service Workers
• CVE-2026-0890: Spoofing in copy-paste and drag-and-drop operations

The PDF viewer vulnerability is worth noting for organizations that handle sensitive documents in-browser. Clickjacking attacks can trick users into interacting with hidden content, potentially exposing document data or triggering unintended actions.

Who's Affected

Firefox 147 addresses vulnerabilities present in all prior versions. Organizations running Firefox ESR have received corresponding patches—115.32 addresses CVE-2026-0892, while 140.7 addresses CVE-2026-0891 along with other fixes.

Thunderbird users also receive related patches through MFSA 2026-02 and MFSA 2026-03, as Mozilla's email client shares significant code with Firefox.

Update Now

Firefox should automatically check for updates, but you can trigger a manual check through the browser menu: Help → About Firefox. The browser will download and apply the update, requiring a restart to complete.

Enterprise administrators managing Firefox deployments should push MFSA 2026-01 (Firefox 147), MFSA 2026-02 (Firefox ESR 115.32), or MFSA 2026-03 (Firefox ESR 140.7) through their software distribution systems.

Why This Matters

Browser vulnerabilities remain attractive targets because browsers execute untrusted code constantly. Every website visited runs JavaScript in the browser, making the JavaScript engine a particularly sensitive attack surface. Sandbox escapes elevate the risk further—a successful exploit can break out of browser isolation and compromise the underlying system.

This batch of fixes follows a pattern of regular Firefox security releases. Mozilla maintains an aggressive patching cadence, typically releasing security updates every four to six weeks. Organizations that delay browser updates accumulate risk as proof-of-concept exploits emerge for disclosed vulnerabilities.

The Microsoft January 2026 Patch Tuesday addressed similar concerns with Windows components, reminding security teams that browser and OS patching should happen in parallel.

For security teams tracking exploitation trends, the CISA Known Exploited Vulnerabilities catalog provides authoritative confirmation when browser flaws move from theoretical to actively attacked—though no active exploitation of these Firefox vulnerabilities has been confirmed yet.