← Back to articles
Security· 2 min read

Firefox 148 fixes more than 40 vulnerabilities: WebRender sandbox escapes and a JavaScript engine use-after-free

On February 24, 2026, the Mozilla Foundation released Firefox 148 alongside security advisory MFSA 2026-13, which patches more than 40 vulnerabilities. The advisory documents 45 distinct CVEs in total: 28 rated high impact, 13 moderate and 4 low. With that many issues and that much severity, it is an update you want to apply quickly.

What was fixed

The nastiest entries are two graphics sandbox escapes in WebRender, Firefox’s GPU-based rendering engine:

  • CVE-2026-2760 and CVE-2026-2761: both described as WebRender sandbox escapes caused by incorrect boundary conditions. The researcher Oskar L. reported them. A sandbox escape is especially serious because it lets code that should stay confined to an isolated part of the browser reach into the rest of the system.

The JavaScript engine got two memory-handling fixes:

  • CVE-2026-2763: a use-after-free (use of memory after it has been freed) in the JavaScript engine.
  • CVE-2026-2764: a JIT miscompilation that also ends in a use-after-free.

A research team that included Evyatar Ben Asher and Nicholas Carlini found both, and they used Claude from Anthropic during their analysis.

Mozilla also documented several memory-safety bugs (CVE-2026-2807, CVE-2026-2792 and CVE-2026-2793) showing evidence of memory corruption. Mozilla warns that, with enough effort, some of these bugs could have been pushed into running arbitrary code.

Who is affected and how serious it is

The update affects Firefox users on every platform: Linux, Windows and macOS. Memory-safety bugs and use-after-free flaws are exactly the class of vulnerability that has historically been chained together to reach remote code execution through a malicious web page, though MFSA 2026-13 gives no sign that any of these flaws was under active exploitation when it was published.

The 28 issues rated high impact are reason enough to treat this update as a priority. In corporate environments and on Linux distributions that package Firefox, apply the repository updates as soon as they show up.

Mitigation

The fix is simple: update to Firefox 148 (or to the matching ESR release that carries these fixes). On most Linux distributions you only need to update the firefox or firefox-esr package through the package manager (apt, dnf, pacman, etc.) once maintainers publish the corrected build. If you run Mozilla’s official build, the browser usually updates itself; you can force a check under Help → About Firefox.

Keeping the browser current is one of the most effective defenses against web-based attacks, since most exploits target flaws already fixed in versions the user has not bothered to install.

Source