- Package:
- src:libvpx
- Source:
- src:libvpx
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-02-19 20:39:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for libvpx. CVE-2026-2447[0]: | Heap buffer overflow in libvpx. This vulnerability affects Firefox < | 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird | < 140.7.2, and Thunderbird < 147.0.2. This corresponds to [1] and [2] and Google Chrome covered it in CVE-2026-1861. Probably libvpx should get a CVE on it's own, but I'm not 100% certain about the ruling here, as Mozilla and Google used a separate CVE for their use of libvpx in their products. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-2447 https://www.cve.org/CVERecord?id=CVE-2026-2447 [1] https://issues.oss-fuzz.com/issues/476466137 [2] https://chromium.googlesource.com/webm/libvpx/+/d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hello, Bug #1128283 in libvpx reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/multimedia-team/libvpx/-/commit/23a7d187655d2ebd95c824f5f129e8f2452bebe6 ------------------------------------------------------------------------ Apply upstream patch for CVE-2026-2447 Closes: #1128283 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1128283
We believe that the bug you reported is fixed in the latest version of libvpx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1128283@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Ramacher <sramacher@debian.org> (supplier of updated libvpx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Thu, 19 Feb 2026 21:23:04 +0100 Source: libvpx Architecture: source Version: 1.16.0-3 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> Changed-By: Sebastian Ramacher <sramacher@debian.org> Closes: 1128283 Changes: libvpx (1.16.0-3) unstable; urgency=medium . * debian/patches: Apply upstream patch for CVE-2026-2447 (Closes: #1128283) Checksums-Sha1: 4d2e3da276c27d395a8ff17200376543bb25271d 1719 libvpx_1.16.0-3.dsc 0015cec7431065026b50cbeed9eb928b5e2c40a4 14804 libvpx_1.16.0-3.debian.tar.xz b24fc9a55cfa64cdd188a25863b5ea6b201a02ad 6862 libvpx_1.16.0-3_amd64.buildinfo Checksums-Sha256: a6fad12dd11a8123ee5dbe7573731a7ab1014b556f14522c1b0ca36481c2107e 1719 libvpx_1.16.0-3.dsc 897e880f51a65f66fcb0678d433fae693c77692b828470c39070668001c4dfbc 14804 libvpx_1.16.0-3.debian.tar.xz 7bd99d17bb5fc179746c01fb5ce4bf12c2f753f2d8e9b61c4400301cefe71cbb 6862 libvpx_1.16.0-3_amd64.buildinfo Files: 41a5f7f20627ec3c915b9e8882b15bf3 1719 video optional libvpx_1.16.0-3.dsc f7b2cd1439325169f22d11c202ab1d79 14804 video optional libvpx_1.16.0-3.debian.tar.xz e92820fbf69a6e0a13e79c1731db625f 6862 video optional libvpx_1.16.0-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- wrwEARYKAG8FgmmXcdoJECGTazZgD82JRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z LnNlcXVvaWEtcGdwLm9yZ7j/K/CCiooRHfoMmNhjjU+cta1gbEgHPpc9itIhQbFh FiEEQmJ+hB2ZZ9qD4fqQIZNrNmAPzYkAAPwsAPjyMDrS9SGfNkGEqlFMs6SspQiC guIS3kS3MmgbIRZPAQD5owzmik5r1ZfSDK7TyDPi0L7PbYF9CbJdHgO5wjtQCA== =vZSl -----END PGP SIGNATURE-----