A quick look at Mythos run on Firefox: too much hype?

When Anthropic published its Mythos announcement, it really seemed impressive at first, almost worrying. But when reading thoroughly, the public evidence is less clean than the headline effect. The often-cited "under $20,000" figure does not mean Mythos casually found one devastating bug for that price; in Anthropic's own writeup, that budget covered a large search process with roughly a thousand scaffolded runs and several dozen findings. That is still notable, but it is a very different claim from the dramatic version people repeat. Mozilla followed with a post about using Mythos identifying a large number of AI-found issues in Firefox 150, and it also seems to push the narrative in the same direction: AI has arrived for vulnerability research. I mean, the latter post is entitled "The zero-days are numbered".

Although it looks like a bold take, that may be true. But the public evidence does not support the strongest version of that claim, and unless you are working for one of the chosen (by Anthropic), it is not simple to figure out if these public claims are just marketing or if they are a real game changer.

The interesting question is not whether Mythos found bugs. It clearly did. The interesting question is what kind of bugs were found, how serious they were, and whether those findings actually change the balance between defenders and attackers.

I spent a few hours going through the Firefox commit history, advisory references, and linked bugs to get a better sense of what Mozilla's numbers really mean. This is not a full audit of every patch, but it is enough to form a more grounded view than the marketing cycle usually allows.

The claim

Mozilla reported that 271 vulnerabilities were identified in Firefox 150 associated with Mythos. At the same time, the Firefox 150 security advisory does not map that claim to a single clean list of 271 Firefox-only bug IDs. It contains many individual CVEs from different reporters, including at least three entries explicitly credited to Anthropic, as well as several aggregated "memory safety bugs" entries:

• CVE-2026-6746: Use-after-free in the DOM: Core & HTML component
• CVE-2026-6784: Memory safety bugs fixed in Firefox 150 and Thunderbird 150
• CVE-2026-6785: Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150
• CVE-2026-6786: Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150

Those four entries alone link to hundreds of bugs. That should immediately make anyone cautious about reading the headline number too literally. A large AI-assisted cleanup campaign can still be important without every individual fix representing a directly exploitable, high-end vulnerability. The linked bug counts here are 1, 55, 154, and 107 respectively, which makes 317 in total. But that still should not be compared directly to Mozilla's "271 vulnerabilities identified" claim, because the aggregated CVE buckets also cover Thunderbird and ESR releases, not just Firefox 150.

There is also a basic accounting problem here: Mozilla's 271 figure, Bugzilla bug IDs, advisory CVEs, and individual commits are not the same unit. Publicly, you can reconstruct pieces of the picture, but not a single authoritative Firefox-only list that cleanly explains the 271 number. That does not mean Mozilla is wrong. It means outsiders should be careful not to over-interpret the advisory as if it were a perfect ledger of the claim.

What the data suggests

I vibecoded a small tool to group commits, bugs, CVEs, and touched subsystems as well as displaying some statistics. I also made a poor attempt at trying to score the bugs depending on keywords found, in order to prioritize which bugs would look like actually actionable. You can use it to quickly browse through commits, and even get my scripts sources at the end of the summary for reproducibility.

Even if you ignore the exact totals, the shape of the data is informative:

• Hundreds of commits and bug references are involved.
• The touched code is spread across major Firefox attack surface areas like dom, gfx, netwerk, js, layout.
• The patch set mixes obvious safety fixes, defensive cleanups, lifecycle hardening, API usage tightening, and some changes that look closer to real exploit primitives.
• As part of the CVEs, some patches seem to be not security related (e.g. avoiding null dereference) although relevant for the program stability.

That distinction matters. "Found a bug" is not the same statement as "found an exploitable vulnerability", and it is definitely not the same statement as "found a weaponizable chain component".

In browser exploitation, there is a wide spectrum between:

• a harmless correctness bug,
• a crash-only bug,
• a bug that creates a memory corruption primitive,
• and a bug that survives into a reliable exploit chain.

If you collapse that spectrum into a single headline number, you get attention, but you lose precision.

Stats between tags FIREFOX_BETA_149_END and FIREFOX_BETA_150_END

I'm using these tags as a rough release window, not as a precise Mythos boundary. That distinction matters. The stats below describe the Firefox 150 development interval broadly, and not a cleanly isolated set of Mythos-derived fixes. So they are useful for showing scale and patch distribution, but they should not be read as "these are the 271 Mythos vulnerabilities".

• Commits: 6,115
• Bug IDs: 3,209
• High-Priority Candidates: 252
• Bugs with (high) CVE: 301 (counting non-mythos CVEs as well)
• Commits with (high) CVE: 340
• Changed lines: 3,438,679
• Median lines / commit: 52
• Mean lines / commit: 562.34
• Largest patch: 480,735
• Commits with crashtest: 47

We can also notice that many commits associated with those bugs predate the Anthropic post by days or weeks, with an obvious pike on April 2. That is not surprising. Advisory aggregation happens late, and some fixes that end up grouped under a release CVE were clearly authored earlier, for example on March 5.

Are these "real vulnerabilities"?

This depends on the standard you care about.

If you are a defender, the answer is straightforward: yes, broadly speaking, many of these fixes matter. Memory-safety issues, lifetime mistakes, race conditions, incorrect ownership, and serialization problems are exactly the kinds of patterns that defenders want removed before an attacker gets to them. Even when a bug is not independently exploitable, it can still reduce safety margins or become useful when combined with another issue, think of e.g. a relative or arbitrary read primitive.

If you are thinking like an attacker, the bar is higher. A bug is only truly interesting if it buys leverage: control of memory, type confusion, privilege boundary crossing, sandbox escape, or something else that materially advances exploitation. By that standard, a lot of the published fixes look more like hardening and bug debt reduction than obvious exploit gold.

That is not a criticism. Hardening is good. But it is not the same thing as proving that a model is now outperforming top offensive researchers at finding high-value browser chains.

This brings me to the context of a vulnerability. For a defender, a vulnerability is a vulnerability regardless of its exploitability context. When it comes to browsers, there are attack surfaces hidden behind additional user interactions, or very specific setups, runtime options, and more, which would not be reliably actionable to weaponize a vulnerability. As an attacker, you would typically never spend effort on such surface.

What stands out in the patch set

A quick pass through the linked fixes shows several recurring categories:

• reference lifetime fixes,
• ownership and cleanup corrections,
• race-condition and async teardown fixes,
• bounds checks and integer handling,
• safer serialization and IPC handling,
• upstream library updates and vendor syncs.

Some of those are exactly where dangerous bugs come from. Others are better understood as preventative maintenance that happened to be triggered by large-scale automated review.

This is why one issue such as 2014596 for CVE-2026-6746 stands out more than the giant aggregate CVE buckets. A concrete use-after-free is easy to reason about as a potentially exploitable security issue. A long list of "memory safety bugs fixed" is directionally important, but analytically much weaker unless you inspect the individual bugs.

What Mythos seems good at

The strongest charitable reading of the Firefox 150 data is this:

Mythos appears to be very good at surfacing suspicious patterns at scale.

That is already valuable. A model that can find cleanup bugs, lifetime hazards, API misuse, unsafe assumptions, and latent memory-safety issues across a codebase the size of Firefox is useful even if only a fraction of those findings are directly exploitable. For a defensive team, that can translate into faster hardening, broader code review coverage, and less time wasted on manual triage. Publicly, that is the part that looks well supported.

This is probably the most important practical outcome. Security teams do not need a model to independently invent a full exploit chain for it to have significant value.

However, its value is not clear compared to other LLMs, if you tried yourself to run any model at finding bugs in a codebase, or even wrote your own agents, you most certainly are confident that it would warn you for most of the patterns found by Mythos. Take Google Big Sleep for instance, there is a chance it has been way more relevant than Mythos already, and there hasn't been such dramatical announcements.

What remains unproven

The offensive claim is much harder to support.

From the public evidence, we still do not know how many tokens, runs, and analyst-hours were required, how much human filtering was needed, how many findings were duplicates or low-value crashes, how Mythos compares to other strong models on the same targets, and how many of the fixed bugs would have materially mattered in a real exploit-development context.

I'm sure Mozilla did not even spend time to prove exploitability, nor did Mythos provide a PoC for them (although some commits include crashtests). Without knowing the actually exploitable bugs count, it is hard to call this a security revolution rather than a successful large-scale bug-mining campaign.

And the distinction is important because browser security is not measured by the number of bug fixes, it is measured by whether attackers lose meaningful capabilities. And that is not yet obvious here.

Defender relevance vs attacker relevance

This is where I currently land.

For defenders, Mythos looks relevant right now. Even if many of the findings are "just" stability issues, suspicious cleanup bugs, or latent memory-safety hazards, removing them improves the codebase and reduces future opportunity for attackers. However, I have doubts it would produce the similar results on what I think are more robusts codebases, and I am eager to find out if Mythos produce similar results on Apple Safari or Google Chrome. If I had to bet, I would say it won't :)

For attackers, the story is less convincing. Nothing in Mozilla's disclosure alone proves that Mythos has suddenly erased the usual offensive edge. If anything, the public evidence suggests that AI is currently easier to defend as broad hardening support than as proof of singular, decisive exploit discovery.

That is also why I would treat public attacker claims separately from Mozilla's numbers. For example, one team publicly stated that their RCE and sandbox escape chain was still alive after the release. That is not strong evidence by itself, but it is a useful reminder that "many fixes landed" is not the same statement as "the offensive problem is solved".

That may change. But this Firefox release does not prove it has changed already.

Conclusion

The Firefox 150 data suggests a tool that is genuinely useful for defensive security work, especially at scale, but the public record does not justify the strongest claims people want to make from it. The headline number is impressive, yet it bundles together bugs of very different significance and does not publicly resolve into a clean accounting.

So my current view is simple:

• as a defensive assistant, Mythos looks credible;
• as evidence of a dramatic offensive breakthrough, the Firefox case is still weak;
• and as usual with AI security announcements, the most interesting part is hidden in the operational details we do not get to see.

Stay safe out there, read through the lines, beware of the hype posts and don't fall for the narrative they want to push.

Appendix

Appendix A: Playing the game of "is it exploitable"

I gave a try myself at deciding if the bugs were relevant. It is a good exercise to do when willing to learn about an attack surface. Take my comments with mountains of salt.

Bug 2016901 - Fix potential race in NSSIOLayer. r=keeler

[...] nsSSLIOLayerHelpers::~nsSSLIOLayerHelpers() { - Preferences::RemoveObserver(this, "security.tls.version.fallback-limit"); - Preferences::RemoveObserver(this, "security.tls.insecure_fallback_hosts"); + // Pref observers must have been removed before destruction, since the + // destructor may run off the main thread. + MOZ_ASSERT(!mRegisteredPrefObservers, + "Pref observers should have been removed before destruction"); } [...]

This change suggests that the nsSSLIOLayerHelpers object may be deleted on a separate thread, while the nsSSLIOLayerHelpers::GlobalCleanup() is meant to run on the main thread. If true this possibly leads to a thread affinity bug as Preferences::RemoveObserver is meant to run on the main thread as well.

From afar, this sounds possibly exploitable, but hard to tell without inspecting the actual thread activity that happens with the Preferences class, raceability window, etc.

It seems GlobalCleanup is only called for when Firefox is shutdown, in which case that means we would have to keep a TLS socket open while the user closes the browser, making it obviously not weaponizable.

• Exploitability: Maybe
• Context: Unrealistic

Bug 2014435 - Don't copy mOpts in MediaEngineFakeVideoSource::CreateFrom. r=padenot

diff --git a/dom/media/webrtc/MediaEngineFake.cpp b/dom/media/webrtc/MediaEngineFake.cpp index f59c37f0587aa..8123aa05e55a0 100644 --- a/dom/media/webrtc/MediaEngineFake.cpp +++ b/dom/media/webrtc/MediaEngineFake.cpp @@ -151,7 +151,6 @@ MediaEngineFakeVideoSource::CreateFrom( const MediaEngineFakeVideoSource* aSource) { auto src = MakeRefPtr<MediaEngineFakeVideoSource>(); *static_cast<MediaTrackSettings*>(src->mSettings) = *aSource->mSettings; - src->mOpts = aSource->mOpts; return src.forget(); }

The MediaEngineFakeVideoSource is a fake video source that can be used when doing tests with webrtc when one does not have an actual camera to plug into the source feed. The patch is very simple: when cloning the video source, it does not copy the original source options, which is a per-instance stale data. This copy is not useful as the video sources options are meant to be initialized during allocation later on. However, if the source is used without going through the Allocate path later on, this could be a problem. I consider aSource not freed as the copy on mSettings was kept, thus it seems it would only contain options previously allocated through a normal path.

I feel like if this leads to memory corruption, it would easily be found by fuzzing the MediaDevices API.

• Exploitability: Low
• Context: Realistic

Bug 2023302 - null check mResponseHead when calling ClearHeaders r=necko-reviewers,jesup

This commit adds null checks before calling methods on a pointer.

• Exploitability: None
• Context: N/A

Bug 2022051. r=bvisness.

diff --git a/js/src/wasm/WasmIonCompile.cpp b/js/src/wasm/WasmIonCompile.cpp index 0e0df7c0eef77..19d78084d452d 100644 --- a/js/src/wasm/WasmIonCompile.cpp +++ b/js/src/wasm/WasmIonCompile.cpp @@ -5544,7 +5544,8 @@ class FunctionCompiler { MInstruction* dstData = MWasmLoadField::New( alloc(), dstArrayObject, nullptr, WasmArrayObject::offsetOfData(), mozilla::Nothing(), MIRType::WasmArrayData, MWideningOp::None, - AliasSet::Load(AliasSet::WasmArrayDataPointer)); + AliasSet::Load(AliasSet::WasmArrayDataPointer), + mozilla::Some(trapSiteDesc())); if (!dstData) { return false; } @@ -5553,7 +5554,8 @@ class FunctionCompiler { MInstruction* srcData = MWasmLoadField::New( alloc(), srcArrayObject, nullptr, WasmArrayObject::offsetOfData(), mozilla::Nothing(), MIRType::WasmArrayData, MWideningOp::None, - AliasSet::Load(AliasSet::WasmArrayDataPointer)); + AliasSet::Load(AliasSet::WasmArrayDataPointer), + mozilla::Some(trapSiteDesc())); if (!srcData) { return false; }

I don't know enough about SpiderMonkey's JIT to tell if that would be exploitable or not.

Before this commit, the two loads were created as plain movable field loads. In MWasmLoadField, that means “no trap metadata” and the instruction is treated as movable; with trap metadata present, it becomes a guard instead (js/src/jit/MIR-wasm.h:2754). That matters because wasm field loads from object pointers can fault on null, and the backend uses maybeTrap() to attach the correct wasm trap site to the emitted faulting instruction (js/src/jit/Lowering.cpp:8731, js/src/jit/CodeGenerator.cpp:10684).

I'll let you decide.

• Exploitability: ?
• Context: Realistic

Appendix B: Complete commit list where bugs are associated to a CVE, sorted per component

Commit inventory

• accessible

  • 2002899 Bug 2002899: Explicitly disconnect UIA providers. a=diannaS DONTBUILD CVE-2026-6784
  • 2022338 Bug 2022338 - Don't allow non-doc remote accessibles to be attached to remote outer docs. a=diannaS CVE-2026-6785
  • 2027237 Bug 2027237 - Check that embedder doc is managed by same PBrowser. a=diannaS DONTBUILD CVE-2026-6785
  • 2027291 Bug 2027291 - Make mParent a strong reference in AccIterable::IteratorState. a=RyanVM CVE-2026-6785
  • 2027293 Bug 2027293 - Retrieve and hold editor before calling SetSelectionBoundsAt. a=diannaS DONTBUILD CVE-2026-6785
  • 2027962 Bug 2027962: Check Shutdown a=RyanVM DONTBUILD CVE-2026-6785
  • 2027971 Bug 2027971 - Don't allow creation of remote non-doc acc with ID 0. a=RyanVM DONTBUILD CVE-2026-6785
  • 2029743 Bug 2029743 - Return strong references to content from ToDOMPoint. a=diannaS DONTBUILD CVE-2026-6786

• browser

  • 1963301 Bug 1963301 - Improve programmatic focus handling in Form Autofill. r=dimi,geckoview-reviewers,tcampbell CVE-2026-6784
  • 1963301 Revert "Bug 1963301 - Improve programmatic focus handling in Form Autofill. r=dimi,geckoview-reviewers,tcampbell" for causing lint failures CVE-2026-6784
  • 1963301 Bug 1963301 - Improve programmatic focus handling in Form Autofill. r=dimi,geckoview-reviewers,tcampbell CVE-2026-6784
  • 1963301 Revert "Bug 1963301 - Improve programmatic focus handling in Form Autofill. r=dimi,geckoview-reviewers,tcampbell" for causing mozlint failures CVE-2026-6784
  • 1963301 Bug 1963301 - Improve programmatic focus handling in Form Autofill. r=dimi,geckoview-reviewers,tcampbell CVE-2026-6784
  • 2012436 Bug 2012436. r=tschuster,daleharvey CVE-2026-6784
  • 2012436 Revert "Bug 2012436. r=tschuster,daleharvey" for causing xpc failures @ test_richsuggestions_order.js CVE-2026-6784
  • 2012436 Bug 2012436. r=tschuster,daleharvey CVE-2026-6784
  • 2025609 Bug 2025609 - Using information from the browsingContext in BlockedSiteParent.sys.mjs. a=RyanVM DONTBUILD CVE-2026-6785

• build

  • 2020817 Bug 2020817 - Part 2: Add a MOZ_NON_TERMINATED_STRING static analysis, a=diannaS CVE-2026-6784

• docshell

  • 2025354 Bug 2025354 a=diannaS CVE-2026-6785
  • 2028524 Bug 2028524, avoid leaking a document, r=farre, a=dsmith CVE-2026-6784

• dom

  • 1536243 Bug 1536243 - Use av_mallocz to zero FFmpeg extradata padding. r=media-playback-reviewers,jolin CVE-2026-6784
  • 1999158 Bug 1999158. a=diannaS DONTBUILD CVE-2026-6785
  • 2001319 Bug 2001319 - Part 1: Update MediaDRM provisioning on Android to use origin IDs. r=aosmond,geckoview-reviewers,media-playback-reviewers,tcampbell CVE-2026-6784
  • 2001319 Bug 2001319 - Part 2: Unprovision MediaDRM origins when clearing browsing data. r=aosmond,media-playback-reviewers,webrtc-reviewers,jib CVE-2026-6784
  • 2014435 Bug 2014435 - Don't copy mOpts in MediaEngineFakeVideoSource::CreateFrom. r=padenot CVE-2026-6784
  • 2014596 Bug 2014596 - Fix manual slot reassignment across different shadow roots. a=diannaS DONTBUILD CVE-2026-6746
  • 2019004 Bug 2019004 - FIX Double-Close Race in FileSystemAccessHandle via Dual IPC Channels, a=diannaS DONTBUILD CVE-2026-6786
  • 2020817 Bug 2020817 - Part 4: Annotate & clean up nsACString callers of BeginReading/Data, a=diannaS CVE-2026-6784
  • 2021769 Bug 2021769: Simplify the CC setup for these classes. a=diannaS DONTBUILD CVE-2026-6747
  • 2021788 Bug 2021788 - Guard against signed long overflow in WMFVideoMFTManager::CreateBasicVideoFrame(). r=media-playback-reviewers,jolin CVE-2026-6784
  • 2022276 Bug 2022276 - Improve custom path handling helpers. a=diannaS DONTBUILD CVE-2026-6785
  • 2022335 Bug 2022335 - End cache actions faster after cancel. a=diannaS DONTBUILD CVE-2026-6785
  • 2022367 Bug 2022367 - Copy override strings in CopyJSSettings. a=diannaS DONTBUILD CVE-2026-6784
  • 2022373 Bug 2022373. a=diannaS CVE-2026-6785
  • 2022604 Bug 2022604 - Fix VideoFrame.copyTo() using incorrect stride for RGB surfaces. a=diannaS CVE-2026-6748
  • 2022610 Bug 2022610. a=diannaS DONTBUILD CVE-2026-6749
  • 2022785 Bug 2022785 - limit PRF evalByCredential list length in parent process. r=keeler CVE-2026-6786
  • 2023544 Bug 2023544 - Use mAsyncWaitAlgorithms.forget() a=diannaS DONTBUILD CVE-2026-6785
  • 2023599 Bug 2023599. a=diannaS CVE-2026-6785
  • 2023608 Bug 2023608 - Get ObservableArrayProxyHandler properly; a=diannaS CVE-2026-6785
  • 2023670 Bug 2023670 - Part 1: Only allow sending nsIInputStream for transferrable StruturedCloneHolders, a=diannaS DONTBUILD CVE-2026-6784
  • 2023670 Bug 2023670 - Part 2: Clear transferred state in WriteIPCParams, a=diannaS DONTBUILD CVE-2026-6784
  • 2023814 Bug 2023814 - Harden ImageData structured cloning. a=diannaS CVE-2026-6785
  • 2023925 Bug 2023925 - Modernize the SVG filter attribute enums. a=diannaS CVE-2026-6786
  • 2024225 Bug 2024225 - Simplify GetAnonymousRootElementOfTextEditor. a=diannaS CVE-2026-6784
  • 2024238 Bug 2024238. a=diannaS DONTBUILD CVE-2026-6784
  • 2024240 Bug 2024240 - Clean up LinuxGamepadService lifecycle interactions with event dispatching. a=diannaS DONTBUILD CVE-2026-6784
  • 2024242 Bug 2024242: clean up VSyncParent a=diannaS DONTBUILD CVE-2026-6785
  • 2024346 Bug 2024346 - Run RuntimeService::Cleanup() once. a=diannaS DONTBUILD CVE-2026-6786
  • 2024416 Bug 2024416 - Invoke ObservableArray callback only when interface is still valid; a=diannaS CVE-2026-6786
  • 2024424 Bug 2024424 dispatch mozreportmediaerror event asynchronously r=alwu CVE-2026-6784
  • 2024425 Bug 2024425: Capture PresShell in a local variable when getting primary frame. a=diannaS DONTBUILD CVE-2026-6785
  • 2024429 Bug 2024429 - Use consistent handle types at interfaces. a=RyanVM DONTBUILD CVE-2026-6786
  • 2024432 Bug 2024432 - Update Geolocation services on move. a=diannaS DONTBUILD CVE-2026-6786
  • 2024440 Bug 2024440 - Reject Shared Array Buffer or Object, a=RyanVM DONTBUILD CVE-2026-6785
  • 2024442 Bug 2024442, don't leak nursery wrappers on failure, r=mccr8, a=dsmith CVE-2026-6785
  • 2024446 Bug 2024446 - Do not unfollow inside abort algorithm a=diannaS DONTBUILD CVE-2026-6785
  • 2024455 Bug 2024455. r=aosmond CVE-2026-6786
  • 2024455 Revert "Bug 2024455. r=aosmond" for causing multiple failures. CVE-2026-6786
  • 2024455 Bug 2024455. r=aosmond CVE-2026-6786
  • 2024458 Bug 2024458: Hold a self-ref on behalf of sigslot, just in case. a=diannaS DONTBUILD CVE-2026-6785
  • 2024463 Bug 2024463 - Part 1 Check list size a=diannaS CVE-2026-6785
  • 2024463 Bug 2024463 - Part 2 Add more asserts a=diannaS CVE-2026-6785
  • 2024468 Bug 2024468 - Ensure UDPSocket remains alive during CloseWithReason, a=diannaS DONTBUILD CVE-2026-6786
  • 2024476 Bug 2024476: Fixing unprotected access to shared RuntimeService::mNavigatorProperties. a=diannaS DONTBUILD CVE-2026-6786
  • 2024478 Bug 2024478: Add a death grip a=diannaS DONTBUILD CVE-2026-6785
  • 2024650 Bug 2024650 - MaybeSubmit calls script that may free doc a=diannaS DONTBUILD CVE-2026-6785
  • 2024653 Bug 2024653, be more consistent with non-changing attribute setting, r=farre, a=dsmith CVE-2026-6785
  • 2024654 Bug 2024654 - Simplify ShadowRoot::InvalidateStyleAndLayoutOnSubtree. a=diannaS CVE-2026-6785
  • 2024655 Bug 2024655, tweak reflector updating, r=jonco,sfink a=dsmith CVE-2026-6785
  • 2024656 Bug 2024656 - Keep strong PresShell reference. a=diannaS CVE-2026-6785
  • 2025278 Bug 2025278 - part 2. a=diannaS DONTBUILD CVE-2026-6785
  • 2025281 Bug 2025281 - Cleanup MediaIPCUtils. a=diannaS CVE-2026-6784
  • 2025332 Bug 2025332 - ErrorResult should call ClearUnionData more. a=diannaS CVE-2026-6786
  • 2025348 Bug 2025348 - Cleanup construction of screen and orientation. a=diannaS DONTBUILD CVE-2026-6786
  • 2025349 Bug 2025349: Add a deathgrip to StreamList a=RyanVM DONTBUILD CVE-2026-6785
  • 2025350 Bug 2025350 - Use CheckedInt to validate size when writing StructuredCloneBlob and ClonedErrorHolder. a=diannaS DONTBUILD CVE-2026-6785
  • 2025360 Bug 2025360 - Avoid leaks in nsXMLPrettyPrinter, r=hsivonen, a=dsmith CVE-2026-6785
  • 2025363 Bug 2025363 - really IgnoreOpensDuringUnload, r=edgar,a=dsmith CVE-2026-6785
  • 2025370 Bug 2025370 - Properly handle error case in EventListenerManager::GetTypedEventHandler, r=edgar, a=dsmith CVE-2026-6785
  • 2025379 Bug 2025379: Take a snapshot of headers a=RyanVM DONTBUILD CVE-2026-6785
  • 2025381 Bug 2025381 - Handle AbortSignal's reason more consistently. a=diannaS DONTBUILD CVE-2026-6785
  • 2025387 Bug 2025387. a=diannaS DONTBUILD CVE-2026-6784
  • 2025399 Bug 2025399 - Add thread-safety annotations to GamepadPlatformService. a=diannaS DONTBUILD CVE-2026-6785
  • 2025400 Bug 2025400: Add a mutex to gamepad a=diannaS DONTBUILD CVE-2026-6785
  • 2025407 Bug 2025407 - Deduplicate HTMLAllCollection::GetSupportedNames code with nsContentList::GetSupportedNames., a=dsmith CVE-2026-6785
  • 2025415 Bug 2025415 - IndexedDB: CopyingStructuredCloneReadCallback returns cached Blob wrapper, violating the spec requirement that cloned values are independent copies. a=RyanVM CVE-2026-6785
  • 2025420 Bug 2025420: Clean up MessageBodyService a=diannaS DONTBUILD CVE-2026-6785
  • 2025427 Bug 2025427: Add a deathgrip a=RyanVM DONTBUILD CVE-2026-6785
  • 2025429 Bug 2025429. a=diannaS DONTBUILD CVE-2026-6785
  • 2025430 Bug 2025430: Check for CDM shutdown a=RyanVM DONTBUILD CVE-2026-6785
  • 2025458 Bug 2025458 - Ensure SetCDMProxy always runs on the task queue. a=diannaS CVE-2026-6786
  • 2025461 Bug 2025461: Tweak the GMPUtils, fix LOG a=diannaS DONTBUILD CVE-2026-6786
  • 2025463 Bug 2025463 - Add bounds check for encoded temporal layer id. a=diannaS CVE-2026-6786
  • 2025466 Bug 2025466 - Release mIPDLSelfRef last in MFCDMChild::IPDLActorDestroyed. a=diannaS DONTBUILD CVE-2026-6784
  • 2025479 Bug 2025479 - Validate IPC-supplied audio sample fields before use in ArrayOfRemoteAudioData::ElementAt. a=diannaS DONTBUILD CVE-2026-6785
  • 2025481 Bug 2025481 - Add missing shutdown guards to WMFCDMProxy. a=diannaS CVE-2026-6786
  • 2025483 Bug 2025483 update mBeginProcessing even on speex_resampler_set_rate() error a=diannaS DONTBUILD CVE-2026-6786
  • 2025485 Bug 2025485 - Improve bounds check in AudioData::SetTrimWindow. a=diannaS CVE-2026-6786
  • 2025489 Bug 2025489: avoid overflows a=RyanVM DONTBUILD CVE-2026-6785
  • 2025493 Bug 2025493 - a=diannaS CVE-2026-6785
  • 2025494 Bug 2025494 - Remove MOZ_UNANNOTATED. a=diannaS CVE-2026-6786
  • 2025497 Bug 2025497. a=diannaS DONTBUILD CVE-2026-6785
  • 2025502 Bug 2025502 - Serialize MediaSystemResourceService shutdown on the compositor thread. a=diannaS DONTBUILD CVE-2026-6785
  • 2025506 Bug 2025506. a=diannaS DONTBUILD CVE-2026-6786
  • 2025511 Bug 2025511 - a=diannaS CVE-2026-6786
  • 2025513 Bug 2025513. a=diannaS CVE-2026-6786
  • 2025515 Bug 2025515 - Defer video MediaStreamTrack rendering attachment via WatchManager. a=diannaS DONTBUILD CVE-2026-6785
  • 2025515 Bug 2025515 - Always allow Add/RemoveVideoOutput with detached outputs. a=diannaS DONTBUILD CVE-2026-6785
  • 2025517 Bug 2025517 - Clean up GmpPluginNotifier and VideoConduit shutdown ordering a=diannaS DONTBUILD CVE-2026-6785
  • 2025520 Bug 2025520: Fix this comparison. a=diannaS DONTBUILD CVE-2026-6786
  • 2025883 Bug 2025883 - Fix VideoFrame.copyTo() using incorrect stride for YUV surfaces. a=diannaS CVE-2026-6751
  • 2025883 Bug 2025883 - Pass source frames-per-channel to AudioData CopySamples. a=diannaS CVE-2026-6751
  • 2025883 Bug 2025883 - Fix AudioData.copyTo() interleaved-to-interleaved incorrect frame offset calculation. a=diannaS CVE-2026-6751
  • 2025883 Bug 2025883 - Fix AudioData.copyTo() planar-to-interleaved not applying frame offset. a=diannaS CVE-2026-6751
  • 2025948 Bug 2025948: Change IPCOpen assertion a=diannaS DONTBUILD CVE-2026-6785
  • 2025949 Bug 2025949 - Hold strong reference to TextTrack in HonorUserPreferencesForTrackSelection. a=diannaS DONTBUILD CVE-2026-6785
  • 2025953 Bug 2025953 - webauthn: use built-in Cached webidl feature rather than manually caching objects a=diannaS CVE-2026-6785
  • 2025955 Bug 2025955 - Using RefPtr<DOMEventTarget> as method parameter instead of raw pointer for MessageEvent(ToParent)Runnable and WorkerErrorReport::ReportError. a=diannaS CVE-2026-6785
  • 2025969 Bug 2025969 - Copy txXPathNode as value a=diannaS DONTBUILD CVE-2026-6785
  • 2025970 Bug 2025970 - Prevent circular indexing a=diannaS DONTBUILD CVE-2026-6785
  • 2025971 Bug 2025971 - Use txSingleNodeContext getter of owned txXPathNode a=diannaS DONTBUILD CVE-2026-6785
  • 2025973 Bug 2025973 - Use value-semantics for txExecutionState::TemplateRule a=diannaS DONTBUILD CVE-2026-6785
  • 2025976 Bug 2025976 - Make txxPathNode be a value instead of reference a=diannaS DONTBUILD CVE-2026-6785
  • 2025977 Bug 2025977 - Re-fetch index entry a=diannaS DONTBUILD CVE-2026-6785
  • 2026278 Bug 2026278 - Make AutoSVGViewHandler::mRoot a strong reference a=diannaS DONTBUILD CVE-2026-6784
  • 2026280 Bug 2026280 - Calling ServiceWorkerRegistration::RevokeActor() with RefPtr object. a=diannaS DONTBUILD CVE-2026-6785
  • 2026282 Bug 2026282 - Don't flush in SMILCSSValueType::ValueFromString a=diannaS DONTBUILD CVE-2026-6786
  • 2026285 Bug 2026285 - Wrap all values in dom/streams. a=diannaS CVE-2026-6785
  • 2026292 Bug 2026292 - don't call accessibility service unnecessarily, r=edgar, a=dsmith CVE-2026-6784
  • 2026310 Bug 2026310 - Add a SequenceRooter in ProcessProfileData. a=diannaS DONTBUILD CVE-2026-6785
  • 2027148 Bug 2027148 - Clean up VideoEngine. a=diannaS DONTBUILD CVE-2026-6784
  • 2027152 Bug 2027152. a=diannaS DONTBUILD CVE-2026-6786
  • 2027161 Bug 2027161 - Simplify GMP plugin and actor lifetimes. a=diannaS DONTBUILD CVE-2026-6786
  • 2027238 Bug 2027238 - Use promise-based SendRequestMemoryReport instead of callback overload. a=RyanVM DONTBUILD CVE-2026-6786
  • 2027268 Bug 2027268 - simplify normalize() handling, r=emilio,masayuki, a=dsmith CVE-2026-6785
  • 2027302 Bug 2027302. a=diannaS CVE-2026-6786
  • 2027342 Bug 2027342. a=diannaS CVE-2026-6785
  • 2027384 Bug 2027384 - Keep destroyed state also on the video capture thread. a=diannaS DONTBUILD CVE-2026-6784
  • 2027541 Bug 2027541 - mochitest-plain test. a=diannaS DONTBUILD CVE-2026-6754
  • 2027694 Bug 2027694 - Remove manual DomainMatchingMode cast. a=diannaS DONTBUILD CVE-2026-6784
  • 2027959 Bug 2027959. a=diannaS DONTBUILD CVE-2026-6785
  • 2027995 Bug 2027995 - Have callers of BrowserParent::SendHandleTap hold a strong reference to the BrowserParent., a=dsmith CVE-2026-6785
  • 2028000 Bug 2028000: Zero this out on failure; this function is expected to overwrite it. a=diannaS DONTBUILD CVE-2026-6786
  • 2028267 Bug 2028267. a=diannaS DONTBUILD CVE-2026-6785
  • 2028275 Bug 2028275. a=diannaS CVE-2026-6785
  • 2028290 Bug 2028290. a=diannaS DONTBUILD CVE-2026-6785
  • 2028291 Bug 2028291: Clean up WebTransport CloseSession(), a=dsmith CVE-2026-6785
  • 2028525 Bug 2028525 - Keep CookieStoreNotifier alive during the dispatching of events, a=diannaS DONTBUILD CVE-2026-6786
  • 2028528 Bug 2028528 - Root dictionary a=diannaS DONTBUILD CVE-2026-6785
  • 2028551 Bug 2028551 a=diannaS DONTBUILD CVE-2026-6785
  • 2029415 Bug 2029415 - Do not flush from within UpdateFilter(). a=diannaS DONTBUILD CVE-2026-6786
  • 2029436 Bug 2029436 - patch 1 - [beta] Avoid holding refs into CurrentState() across SetFontInternal(). a=diannaS DONTBUILD CVE-2026-6785
  • 2029436 Bug 2029436 - patch 2 - [beta] Improve ParseSpacing helper & update callers. a=diannaS DONTBUILD CVE-2026-6785
  • 2029440 Bug 2029440 - a=diannaS DONTBUILD CVE-2026-6785
  • 2029449 Bug 2029449: Defer this, just in case., a=dsmith CVE-2026-6785
  • 2029450 Bug 2029450 - Always unblock onload in nsFrameLoaderOwner, r=mccr8, a=dsmith CVE-2026-6785
  • 2029461 Bug 2029461: Remove the custom memory allocator. a=RyanVM DONTBUILD CVE-2026-6784
  • 2029690 Bug 2029690 - handle fullscreen request on correct docs, r=edgar, a=dsmith CVE-2026-6785
  • 2029800 Bug 2029800 - quick fix. a=diannaS DONTBUILD CVE-2026-6784
  • 2029809 Bug 2029809 - Use static string literals for profiler labels in LoopingDecodingState. a=diannaS CVE-2026-6786
  • 2030123 Bug 2030123 - return early if ClientNavigateOpChild has lost IPC, r=farre a=RyanVM CVE-2026-6785
  • 2030320 Bug 2030320. a=RyanVM DONTBUILD CVE-2026-6785

• editor

  • 2029401 Bug 2029401 - Make AutoBlockElementsJoiner::HandleDeleteLineBreak track the new care position during the white-space normalization a=diannaS DONTBUILD CVE-2026-6786

• gfx

  • 2010727 Bug 2010727. a=diannaS DONTBUILD CVE-2026-6786
  • 2015952 Bug 2015952 - patch 1 - Clean up some variable declarations and redundant #includes in thebes font code. a=diannaS CVE-2026-6785
  • 2015952 Bug 2015952 - patch 2 - Try to bypass font table cache in gfxFontconfigFontEntry. a=diannaS CVE-2026-6785
  • 2015952 Bug 2015952 - patch 3 - Simplify FontTableCache to avoid potential race. a=diannaS CVE-2026-6785
  • 2015952 Bug 2015952 - patch 4 - Cache hb-face in FT2FontEntry if it wraps a disk file. a=diannaS CVE-2026-6785
  • 2021909 Bug 2021909 - Add missing check. a=RyanVM DONTBUILD CVE-2026-6785
  • 2022381 Bug 2022381- Ensure DataSourceSurface created by BufferTextureHost::GetAsSurface() valid during its usage, a=dsmith CVE-2026-6786
  • 2022874 Bug 2022874. r=gfx-reviewers,media-playback-reviewers,padenot,lsalzman CVE-2026-6785
  • 2023140 Bug 2023140. a=diannaS CVE-2026-6786
  • 2023276 Bug 2023276 Part 1: Early exit DataSourceSurfaceFromYCbCrDescriptor when buffer is null. a=diannaS CVE-2026-6785
  • 2023276 Bug 2023276 Part 2: Early exit BufferTextureHost::GetAsSurface when buffer is null. a=diannaS CVE-2026-6785
  • 2023276 Bug 2023276 Part 3: Early exit CreateBackendIndependentTextureHost for unreadable shmem. a=diannaS CVE-2026-6785
  • 2023407 Bug 2023407: Force WR pixel capture to use specific known directory. a=diannaS DONTBUILD CVE-2026-6750
  • 2024239 Bug 2024239 - Use specific IPC messages for flushing checkerboard reports. a=diannaS CVE-2026-6785
  • 2024241 Bug 2024241 - Strip DEALLOCATE_CLIENT in TextureHost::CreateIPDLActor() a=RyanVM CVE-2026-6785
  • 2024243 Bug 2024243. Handle degenerate sizes in ScreenshotGrabberImpl::GrabScreenshot. r=gfx-reviewers,lsalzman CVE-2026-6786
  • 2024247 Bug 2024247. a=diannaS CVE-2026-6786
  • 2025278 Bug 2025278. a=diannaS DONTBUILD CVE-2026-6785
  • 2025958 Bug 2025958 - build(webgpu): update wgpu to de1e7aae31290751a141f029bfc69174102746d9 r=webgpu-reviewers,nical a=diannaS CVE-2026-6784
  • 2026277 Bug 2026277. a=diannaS CVE-2026-6786
  • 2026289 Bug 2026289. a=diannaS CVE-2026-6786
  • 2026296 Bug 2026296 - Remove FontInfoUpdate and co post-traversal task., a=dsmith CVE-2026-6785
  • 2026296 Bug 2026296 - Allow sync family init from InitFontList thread., a=dsmith CVE-2026-6785
  • 2026297 Bug 2026297. a=diannaS DONTBUILD CVE-2026-6784
  • 2027269 Bug 2027269. a=diannaS DONTBUILD CVE-2026-6786
  • 2027277 Bug 2027277. a=diannaS DONTBUILD CVE-2026-6785
  • 2027280 Bug 2027280. a=diannaS DONTBUILD CVE-2026-6786
  • 2027281 Bug 2027281. a=diannaS DONTBUILD CVE-2026-6786
  • 2027284 Bug 2027284 - Defer shmem deallocation until RenderTextureHost destruction for beta, a=dsmith CVE-2026-6785
  • 2027287 Bug 2027287. a=diannaS DONTBUILD CVE-2026-6784
  • 2027339 Bug 2027339. a=diannaS DONTBUILD CVE-2026-6786
  • 2027359 Bug 2027359. r=sotaro,gfx-reviewers, a=dsmith DONTBUILD CVE-2026-6785
  • 2027964 Bug 2027964 - Reject root pipeline in Add/RemovePipelineIdForCompositable a=RyanVM DONTBUILD CVE-2026-6785
  • 2027974 Bug 2027974 - Centralize OpDestroy de-duplication in CompositableParentManager::DestroyActors a=diannaS DONTBUILD CVE-2026-6785
  • 2027975 Bug 2027975. a=diannaS DONTBUILD CVE-2026-6786
  • 2027979 Bug 2027979 - Check fontlist block index. a=diannaS DONTBUILD CVE-2026-6785
  • 2028268 Bug 2028268 - Gate VR process on dom.vr.enabled a=diannaS DONTBUILD CVE-2026-6785
  • 2028627 Bug 2028627 - [beta] Cache generation in gfxPlatformFontList. a=diannaS DONTBUILD CVE-2026-6785
  • 2028879 Bug 2028879 - Ensure user-font cache is used on main thread. a=diannaS DONTBUILD CVE-2026-6785
  • 2028887 Bug 2028887 - Use 64-bit arithmetic. a=diannaS DONTBUILD CVE-2026-6786
  • 2028888 Bug 2028888: Change gfxFT2FontBase::GetCachedGlyphMetrics() to return its answer by value, instead of by reference. a=diannaS DONTBUILD CVE-2026-6786
  • 2028889 Bug 2028889 - Pass the charmap hash as a parameter in to MaybeRemoveCmap. a=diannaS DONTBUILD CVE-2026-6785
  • 2029283 Bug 2029283 - Update OTS. a=diannaS DONTBUILD CVE-2026-6785
  • 2029291 Bug 2029291. a=diannaS DONTBUILD CVE-2026-6786
  • 2029300 Bug 2029300 - Add overflow checks in hb_aat_layout_chain_accelerator_t creation. a=diannaS DONTBUILD CVE-2026-6786
  • 2029304 Bug 2029304 - patch 2 - Correct bounds check in gfxHarfBuzzShaper::FindGlyf. a=diannaS DONTBUILD CVE-2026-6786
  • 2029314 Bug 2029314 - Clean up locking patterns in gfxHarfBuzzShaper. a=diannaS DONTBUILD CVE-2026-6785
  • 2029424 Bug 2029424 - Cherry-pick some ANGLE translator fixes. a=diannaS DONTBUILD CVE-2026-6785
  • 2029427 Bug 2029427 - Fix format string a=diannaS DONTBUILD CVE-2026-6785
  • 2029457 Bug 2029457 - Hold a reference of AsyncImagePipelineManager, a=dsmith CVE-2026-6786
  • 2029728 Bug 2029728 - Check subroutine offset in private dict. a=diannaS DONTBUILD CVE-2026-6785
  • 2029896 Bug 2029896. a=diannaS DONTBUILD CVE-2026-6785
  • 2029906 Bug 2029906 - Check for a wrapped Skia surface. a=RyanVM DONTBUILD CVE-2026-6785
  • 2030118 Bug 2030118 - [ots] Reject font with duplicate FDSelect. a=RyanVM DONTBUILD CVE-2026-6785
  • 2030118 Bug 2030118 - [cairo] Range-check FDSelect value during CFF subsetting. a=RyanVM DONTBUILD CVE-2026-6785
  • 2030230 Bug 2030230, a=dsmith CVE-2026-6785
  • 2030324 Bug 2030324. a=diannaS DONTBUILD CVE-2026-6786

• image

  • 2024357 Bug 2024357. r=gfx-reviewers,bradwerth CVE-2026-6786
  • 2026378 Bug 2026378. a=diannaS CVE-2026-6784
  • 2029294 Bug 2029294. a=diannaS DONTBUILD CVE-2026-6786
  • 2029472 Bug 2029472. a=RyanVM DONTBUILD CVE-2026-6785
  • 2030106 Bug 2030106. a=RyanVM DONTBUILD CVE-2026-6785

• ipc

  • 2022088 Bug 2022088 - Checking RemoteWorker type for SharedWorkerParent creation. a=diannaS CVE-2026-6785

• js

  • 2020378 Bug 2020378: Reshuffle atomic checks for better spec compliance. r=rhunt CVE-2026-6786
  • 2020378 Bug 2020378: Add suite of atomic wait/notify tests. r=rhunt CVE-2026-6786
  • 2022051 Bug 2022051. r=bvisness. CVE-2026-6784
  • 2024918 Bug 2024918 - Fix scalar replacement. a=diannaS DONTBUILD CVE-2026-6786
  • 2024919 Bug 2024919 - Improve alias sets of some MIR instructions. a=diannaS CVE-2026-6785
  • 2026869 Bug 2026869 - Validate primitive reads in structured clone a=diannaS DONTBUILD CVE-2026-6786
  • 2027274 Bug 2027274 - Patch. a=RyanVM CVE-2026-6786
  • 2027274 Bug 2027274 - Test. a=RyanVM CVE-2026-6786
  • 2027541 Bug 2027541 - Patch. a=diannaS DONTBUILD CVE-2026-6754
  • 2027982 Bug 2027982: Add non-proxy fallback a=diannaS DONTBUILD CVE-2026-6785
  • 2027993 Bug 2027993 - Tidy up fuse dependency code in WarpOracle. a=diannaS DONTBUILD CVE-2026-6784
  • 2028009 Bug 2028009. a=diannaS DONTBUILD CVE-2026-6784
  • 2028011 Bug 2028011 - Only allow strings as function name. a=diannaS DONTBUILD CVE-2026-6786
  • 2028416 Bug 2028416 - Update key color when marking weakmap symbol keys a=diannaS DONTBUILD CVE-2026-6784
  • 2029295 Bug 2029295 - Add read barrier to mark symbols retrieved from weak maps in the atom marking bitmap for the zone a=diannaS DONTBUILD CVE-2026-6784
  • 2029316 Bug 2029316 - Use setElement in UnmappedArgSetter to check if the argument was marked as deleted. a=RyanVM DONTBUILD CVE-2026-6786
  • 2029317 Bug 2029317 - Create RareArgumentsData before mutating the arguments object in MappedArgumentsObject::obj_defineProperty. a=RyanVM CVE-2026-6786
  • 2029727 Bug 2029727: Update RegExpStatics data after realloc a=diannaS DONTBUILD CVE-2026-6786
  • 2029735 Bug 2029735 - Handle UTF8 vs Latin1 comparisons correctly in UTF8EqualsChars., a=dsmith CVE-2026-6786
  • 2029754 Bug 2029754 - Check chunk to be decommitted is still in the empty chunks list a=diannaS DONTBUILD CVE-2026-6786
  • 2029801 Bug 2029801. . a=diannaS DONTBUILD CVE-2026-6784

• layout

  • 2020817 Bug 2020817 - Part 3: Allow .get on nsTLiteralString, a=diannaS CVE-2026-6784
  • 2022026 Bug 2022026 - Make nsFrameSelection::PageMove check whether the scrollable frame is available a=diannaS CVE-2026-6785
  • 2023551 Bug 2023551 - Remove EnsureFrameForTextNodeIsCreatedAfterFlush from AbstractRange. a=diannaS CVE-2026-6785
  • 2026293 Bug 2026293: Block scripts when initiating async scrollbar activity. a=diannaS DONTBUILD CVE-2026-6785
  • 2026296 Bug 2026296 - Improve handling of Post-traversal tasks. r=jfkthame,firefox-style-system-reviewers,layout-reviewers,dshin, a=dsmith CVE-2026-6785
  • 2026296 Bug 2026296: apply code formatting via Lando CVE-2026-6785
  • 2027261 Bug 2027261 - Use FirstContinuationOrIBSplitSibling instead of GetPrevInFlow. a=diannaS DONTBUILD CVE-2026-6786
  • 2028270 Bug 2028270. r=firefox-style-system-reviewers,dshin, a=dsmith DONTBUILD CVE-2026-6784
  • 2028288 Bug 2028288 - Don't use nsContentList from nsRangeFrame::TickMarks(). a=diannaS DONTBUILD CVE-2026-6785
  • 2029064 Bug 2029064 - Make nsFontFaceLoader::Cancel() remove itself from the registering font-set. a=diannaS DONTBUILD CVE-2026-6786
  • 2029411 Bug 2029411 - Use the first continuation frame a=diannaS DONTBUILD CVE-2026-6785
  • 2029468 Bug 2029468 - Check for NONDISPLAY frames a=diannaS DONTBUILD CVE-2026-6785
  • 2029699 Bug 2029699 - Simplify InlineBackgroundData handling. a=diannaS DONTBUILD CVE-2026-6784
  • 2029708 Bug 2029708 - avoid unexpected selection handling with table cells, r=masayuki, a=dsmith CVE-2026-6785
  • 2029802 Bug 2029802: Prohibit redundant calls to RecvInitializePrint. a=RyanVM DONTBUILD CVE-2026-6785

• media

  • 2029290 Bug 2029290. a=diannaS DONTBUILD CVE-2026-6786
  • 2029296 Bug 2029296 - a=RyanVM DONTBUILD CVE-2026-6785
  • 2029423 Bug 2029423 - Reset post_proc state. a=RyanVM CVE-2026-6785

• modules

  • 2029458 Bug 2029458 - Update Brotli to upstream revision 4792c8e4c4235f6b501f13dbd07a8b4b253eee21, a=dsmith CVE-2026-6785

• mozglue

  • 2022608 Bug 2022608 - Add a thread-safe interposer for the secure_getenv() functions r=glandium CVE-2026-6786

• netwerk

  • 2020817 Bug 2020817 - Part 1: Clean up NetAddr ToString, a=diannaS CVE-2026-6784
  • 2022041 Bug 2022041: Add IsSocketClosed() a=diannaS CVE-2026-6785
  • 2022041 Revert "Bug 2022041: Add IsSocketClosed()" a=backout CVE-2026-6785
  • 2022041 Bug 2022041: Add IsSocketClosed() a=diannaS CVE-2026-6785
  • 2023120 Bug 2023120 - use nsCOMPtr for mRequest in ScopedRequestSuspender a=diannaS CVE-2026-6786
  • 2023279 Bug 2023279 - nsHttpChannel::AsyncOpen should hold strong ref to self r=necko-reviewers,kershaw CVE-2026-6786
  • 2023302 Bug 2023302 - null check mResponseHead when calling ClearHeaders r=necko-reviewers,jesup CVE-2026-6784
  • 2023950 Bug 2023950 - Force NUL termination in ToStringBuffer AF_LOCAL; reject AF_LOCAL in IPC reader, a=diannaS DONTBUILD CVE-2026-6786
  • 2023959 Bug 2023959 - Don't allow setting headers while ReplacedHttpResponse::VisitResponseHeaders is iterating them r=necko-reviewers,jesup CVE-2026-6786
  • 2023965 Bug 2023965 - Hold strong ref in nsSyncStreamListener::Available r=necko-reviewers,kershaw CVE-2026-6786
  • 2024233 Bug 2024233: ProxyRelease HttpTransactionParent releases a=RyanVM DONTBUILD CVE-2026-6785
  • 2024245 Bug 2024245 - make tickler threadsafe a=diannaS CVE-2026-6786
  • 2024250 Bug 2024250 - Always dispatch nsHttpChannel::Release to main thread a=diannaS CVE-2026-6785
  • 2024251 Bug 2024251 - Increment addr_info_gencnt after record update a=diannaS CVE-2026-6785
  • 2024253 Bug 2024253 - Hold strong ref in nsDownloader::OnDataAvailable a=diannaS CVE-2026-6786
  • 2024265 Bug 2024265: Clean up locking in nsSocketTransport r=necko-reviewers,kershaw CVE-2026-6784
  • 2024343 Bug 2024343: Limit notifications from the socket process to the known set a=diannaS DONTBUILD CVE-2026-6785
  • 2024367 Bug 2024367 - Call AddIPDLReference before SendP*Constructor a=diannaS CVE-2026-6784
  • 2024369 Bug 2024369 - Make CookieProcessingGuard hold a strong ref to the IPC actor a=diannaS CVE-2026-6784
  • 2024661 Bug 2024661: Clean up DeleteChannel a=diannaS DONTBUILD CVE-2026-6785
  • 2024662 Bug 2024662: Clean up EarlyHints a=diannaS DONTBUILD CVE-2026-6785
  • 2024664 Bug 2024664 - Prevent ObliviousHttpChannel::mStreamListener replacement a=diannaS CVE-2026-6786
  • 2024666 Bug 2024666 - Make TLSTransportLayer::Close dispatch to socket thread a=diannaS CVE-2026-6786
  • 2024668 Bug 2024668: Minor fix for continuation in Activate() a=diannaS DONTBUILD CVE-2026-6785
  • 2024669 Bug 2024669 - nsHttpActivityDistributor should hold a self ref a=diannaS DONTBUILD CVE-2026-6786
  • 2024670 Bug 2024670 - Clone connection info in nsHttpTransaction a=diannaS DONTBUILD CVE-2026-6786
  • 2024671 Bug 2024671 - Annotate mHttpExclusionLock guarding mExcludedHttp2Origins and mExcludedHttp3Origins a=diannaS CVE-2026-6786
  • 2024760 Bug 2024760 - Handle WebSocketChannel::IsPersistentFramePtr correctly a=diannaS DONTBUILD CVE-2026-6784
  • 2024761 Bug 2024761 - WebSocketChannelChild cleanup, a=diannaS CVE-2026-6786
  • 2025951 Bug 2025951: Add GetFD() to nsUDPSocket a=RyanVM DONTBUILD CVE-2026-6785
  • 2027340 Bug 2027340 - Remove moz-gio: protocol, a=dsmith CVE-2026-6786
  • 2027427 Bug 2027427: Move this to the impl file, and return a RefPtr. a=diannaS DONTBUILD CVE-2026-6784
  • 2029061 Bug 2029061: Fix some moz-* handlers a=diannaS DONTBUILD CVE-2026-6785
  • 2029707 Bug 2029707: add a length check a=diannaS DONTBUILD CVE-2026-6785
  • 2030370 Bug 2030370: Update SocketProcess Bridge a=RyanVM DONTBUILD CVE-2026-6786
  • 2030370 Bug 2030370 - Fix whitespace. a=bustage CVE-2026-6786

• parser

  • 2028289 Bug 2028289. a=diannaS DONTBUILD CVE-2026-6786
  • 2029071 Bug 2029071 - Handle foster parenting properly; a=RyanVM CVE-2026-6785

• security

  • 2016901 Bug 2016901 - Fix potential race in NSSIOLayer. r=keeler CVE-2026-6784
  • 2028728 Bug 2028728 - remove extraneous psm::SyncRunnableBase implementation a=diannaS DONTBUILD CVE-2026-6786

• servo

  • 2024420 Bug 2024420. a=diannaS CVE-2026-6786

• testing

  • 2023551 Bug 2023551 - Prevent AccessibleCaret test from hitting collapsed whitespace., a=test-only CVE-2026-6785
  • 2025361 Bug 2025361 - Find correct originating element for attr() on pseudo. a=diannaS CVE-2026-6784

• third_party

  • 2022431 Bug 2022431 - build(webgpu): update wgpu to 5a9b30f2d09548eac623fca5209246c766d16f1d r=webgpu-reviewers,nical a=diannaS CVE-2026-6784
  • 2025954 Bug 2025954 - build(webgpu): update wgpu to 2d21fcfe3e425ffdbf5cc4399212fbd1807af30f r=webgpu-reviewers,nical a=diannaS CVE-2026-6784
  • 2027499 Bug 2027499 - adhere to spec on number of CSRCs in rtp packets. a=diannaS CVE-2026-6752
  • 2027501 Bug 2027501 - fix fast recovery retransmission logic. a=diannaS DONTBUILD CVE-2026-6753
  • 2028896 Bug 2028896 - Update cubeb-coreaudio-rs to 0bb8a45a040e85d313eb18deb36570e87df3a6af. a=diannaS DONTBUILD CVE-2026-6786
  • 2029430 Bug 2029430 - Vendor libwebrtc from fe210de721 a=RyanVM DONTBUILD CVE-2026-6786
  • 2029776 Bug 2029776 - Cherry-pick upstream libwebrtc commit 77d265670f a=diannaS CVE-2026-6786

• toolkit

  • 2023836 Bug 2023836 - use origin in searchAutoComplete a=diannaS DONTBUILD CVE-2026-6786
  • 2025526 Bug 2025526: rework FindBar:Keypress a=RyanVM CVE-2026-6785
  • 2027330 Bug 2027330 - Use local variable for BrowsingContext in storePermission callback a=RyanVM DONTBUILD CVE-2026-6785
  • 2027331 Bug 2027331 - Removing unnecessary post-increment in LookupCache. a=diannaS DONTBUILD CVE-2026-6786
  • 2027738 Bug 2027738 - Join the timeout source to the progress bar lifetime a=diannaS DONTBUILD CVE-2026-6786

• tools

  • 2019916 Bug 2019916 - r=mstange,profiler-reviewers CVE-2026-6784
  • 2019916 Revert "Bug 2019916 - r=mstange,profiler-reviewers" for causing hazard failures. CVE-2026-6784
  • 2019916 Bug 2019916 - r=mstange,profiler-reviewers CVE-2026-6784
  • 2027341 Bug 2027341 - Check profiler JS source length before reading, a=dsmith CVE-2026-6784

• widget

  • 2019547 Bug 2019547 - Use ContiguousEnumSerializerInclusive more at receiving/sending IME messages r=m_kato,geckoview-reviewers,win-reviewers,gstoll CVE-2026-6786
  • 2023128 Bug 2023128 - Helper function for reading InputData. r=masayuki,botond CVE-2026-6786
  • 2023882 Bug 2023882 - Ensure GTK dialogs are properly torn down when parent window closes during gtk_dialog_run r=stransky CVE-2026-6786
  • 2024466 Bug 2024466: Remove unused return type on SwipeTracker::SendSwipeEvent and general cleanup. a=diannaS CVE-2026-6786
  • 2025292 Bug 2025292 - Cleanup ParamTraits for TextRange(Style). a=diannaS CVE-2026-6786
  • 2025384 Bug 2025384 - Clean up SwipeTracker lifecycle interactions with event dispatching. a=diannaS CVE-2026-6786
  • 2026288 Bug 2026288. a=diannaS DONTBUILD CVE-2026-6786
  • 2027298 Bug 2027298, release color picker callbacks sooner, r=emilio, a=dsmith CVE-2026-6785
  • 2027300 Bug 2027300: Improve clearing of data during clipboard operations. a=diannaS DONTBUILD CVE-2026-6786
  • 2027754 Bug 2027754 - Improve error handling in AsyncSetClipboardData::SetData and MaybeNotifyCallback. a=diannaS DONTBUILD CVE-2026-6785

• xpcom

  • 2024233 Bug 2024233 - Backport DecrementWithLimit<Limit>(). a=bustage CVE-2026-6785
  • 2025962 Bug 2025962 - Add back pointer to queued CleanupRunnable a=RyanVM DONTBUILD CVE-2026-6785
  • 2029063 Bug 2029063 - Clear pool thread free pointer before exiting Run(). a=RyanVM DONTBUILD CVE-2026-6786