Source: libvpx Version: 1.16.0-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libvpx. CVE-2026-2447[0]: | Heap buffer overflow in libvpx. This vulnerability affects Firefox < | 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird | < 140.7.2, and Thunderbird < 147.0.2. This corresponds to [1] and [2] and Google Chrome covered it in CVE-2026-1861. Probably libvpx should get a CVE on it's own, but I'm not 100% certain about the ruling here, as Mozilla and Google used a separate CVE for their use of libvpx in their products. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-2447 https://www.cve.org/CVERecord?id=CVE-2026-2447 [1] https://issues.oss-fuzz.com/issues/476466137 [2] https://chromium.googlesource.com/webm/libvpx/+/d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
