[Git][security-tracker-team/security-tracker][master] Update status for libvpx issue

Tue Feb 17 04:45:30 GMT 2026


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b736263f by Salvatore Bonaccorso at 2026-02-17T05:45:04+01:00
Update status for libvpx issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -45,12 +45,16 @@ CVE-2026-2452 (Emails sent by pretix can utilize placeholders that will be fille
 CVE-2026-2451 (Emails sent by pretix can utilize placeholders that will be filled wit ...)
 	NOT-FOR-US: rami.io products
 CVE-2026-2447 (Heap buffer overflow in libvpx. This vulnerability affects Firefox < 1 ...)
-	- firefox <unfixed>
-	- firefox-esr <unfixed>
+	- firefox <unfixed> (unimportant)
+	- firefox-esr <unfixed> (unimportant)
 	- libvpx <unfixed>
-	- thunderbird <unfixed>
+	- thunderbird <unfixed> (unimportant)
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2026-11/
+	NOTE: Firefox, Firefox ESR and Thunderbird use the system libvpx library
+	NOTE: Same issue as CVE-2026-1861/chromium
+	NOTE: https://chromium.googlesource.com/webm/libvpx/+/d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1
+	TODO: check, libvpx might need a separate CVE for src:libvpx itself
 CVE-2026-2415 (Emails sent by pretix can utilize placeholders that will be filled wit ...)
 	NOT-FOR-US: rami.io products
 CVE-2026-2101 (A Reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIAv ...)
@@ -5240,6 +5244,7 @@ CVE-2026-1861 (Heap buffer overflow in libvpx in Google Chrome prior to 144.0.75
 	{DSA-6122-1}
 	- chromium 144.0.7559.109-2
 	[bullseye] - chromium <end-of-life> (see #1061268)
+	NOTE: https://chromium.googlesource.com/webm/libvpx/+/d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1
 CVE-2026-25616 (Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka  ...)
 	NOT-FOR-US: Blesta
 CVE-2026-25615 (Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b736263f228da4b0d12069f3316c230c78b9a570

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b736263f228da4b0d12069f3316c230c78b9a570
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260217/4baae7fa/attachment.htm>
