#1128283 libvpx: CVE-2026-2447

Package:
src:libvpx
Source:
src:libvpx
Submitter:
Salvatore Bonaccorso
Date:
2026-02-19 20:39:02 UTC
Severity:
normal
Tags:
#1128283#5
Date:
2026-02-17 12:26:50 UTC
From:
To:
Hi,

The following vulnerability was published for libvpx.

CVE-2026-2447[0]:
| Heap buffer overflow in libvpx. This vulnerability affects Firefox <
| 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird
| < 140.7.2, and Thunderbird < 147.0.2.

This corresponds to [1] and [2] and Google Chrome covered it in
CVE-2026-1861.

Probably libvpx should get a CVE on it's own, but I'm not 100% certain
about the ruling here, as Mozilla and Google used a separate CVE for
their use of libvpx in their products.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-2447
https://www.cve.org/CVERecord?id=CVE-2026-2447
[1] https://issues.oss-fuzz.com/issues/476466137
[2] https://chromium.googlesource.com/webm/libvpx/+/d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1128283#12
Date:
2026-02-19 20:26:18 UTC
From:
To:
Hello,

Bug #1128283 in libvpx reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/multimedia-team/libvpx/-/commit/23a7d187655d2ebd95c824f5f129e8f2452bebe6
------------------------------------------------------------------------
Apply upstream patch for CVE-2026-2447

Closes: #1128283
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1128283

#1128283#19
Date:
2026-02-19 20:36:52 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libvpx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1128283@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated libvpx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 19 Feb 2026 21:23:04 +0100
Source: libvpx
Architecture: source
Version: 1.16.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 1128283
Changes:
 libvpx (1.16.0-3) unstable; urgency=medium
 .
   * debian/patches: Apply upstream patch for CVE-2026-2447 (Closes: #1128283)
Checksums-Sha1:
 4d2e3da276c27d395a8ff17200376543bb25271d 1719 libvpx_1.16.0-3.dsc
 0015cec7431065026b50cbeed9eb928b5e2c40a4 14804 libvpx_1.16.0-3.debian.tar.xz
 b24fc9a55cfa64cdd188a25863b5ea6b201a02ad 6862 libvpx_1.16.0-3_amd64.buildinfo
Checksums-Sha256:
 a6fad12dd11a8123ee5dbe7573731a7ab1014b556f14522c1b0ca36481c2107e 1719 libvpx_1.16.0-3.dsc
 897e880f51a65f66fcb0678d433fae693c77692b828470c39070668001c4dfbc 14804 libvpx_1.16.0-3.debian.tar.xz
 7bd99d17bb5fc179746c01fb5ce4bf12c2f753f2d8e9b61c4400301cefe71cbb 6862 libvpx_1.16.0-3_amd64.buildinfo
Files:
 41a5f7f20627ec3c915b9e8882b15bf3 1719 video optional libvpx_1.16.0-3.dsc
 f7b2cd1439325169f22d11c202ab1d79 14804 video optional libvpx_1.16.0-3.debian.tar.xz
 e92820fbf69a6e0a13e79c1731db625f 6862 video optional libvpx_1.16.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

wrwEARYKAG8FgmmXcdoJECGTazZgD82JRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z
LnNlcXVvaWEtcGdwLm9yZ7j/K/CCiooRHfoMmNhjjU+cta1gbEgHPpc9itIhQbFh
FiEEQmJ+hB2ZZ9qD4fqQIZNrNmAPzYkAAPwsAPjyMDrS9SGfNkGEqlFMs6SspQiC
guIS3kS3MmgbIRZPAQD5owzmik5r1ZfSDK7TyDPi0L7PbYF9CbJdHgO5wjtQCA==
=vZSl
-----END PGP SIGNATURE-----