Mozilla patches critical security flaws in new Firefox ESR 140.12 & 115.37 updates

Mozilla has officially rolled out its latest Extended Support Release (ESR) updates to Firefox ESR 140.12.0 and Firefox ESR 115.37.0. Released on June 16, 2026, these updates skip the flashy visual redesigns in favor of something much more important: a massive payload of critical security fixes designed to keep enterprise deployments and legacy operating systems locked down against emerging threats.

If you manage an IT department or rely on older hardware to get your daily work done, you need to push these updates immediately.

Firefox ESR 140.12 gets a security overhaul

For most corporate organizations and large-scale deployments, Firefox ESR 140 is the reigning champion. Built on the stable foundation of Version 128.0esr, the new 140.12.0 update bundles all the enterprise deployment flexibilities introduced since mid-2024. However, the real story here is the under-the-hood security overhaul.

Mozilla’s development and fuzzing teams have patched a staggering 29 vulnerabilities in this single release. Crucially, 12 of these carry a “High” impact rating. Hackers constantly look for weak points in enterprise networks, and if left unpatched, they could exploit flaws like the privilege escalation bug found in WebRender (CVE-2026-12289). Furthermore, several terrifying sandbox escapes within the DOM and Networking components (CVE-2026-12294, CVE-2026-12295, CVE-2026-12297) have been permanently sealed.

While everyday users on the rapid-release track are busy customizing their new desktop homepage tab or tracking live football scores with the recently introduced World Cup widgets, ESR 140.12 quietly ensures that corporate environments remain completely impenetrable. The update also resolves multiple memory safety bugs that showed evidence of memory corruption; flaws that could otherwise allow bad actors to execute arbitrary code.

Firefox ESR 115.37 brings a crucial lifeline for legacy systems

Mozilla also hasn’t forgotten the millions of users still navigating the web on outdated operating systems. Firefox ESR 115 remains the exclusive, fully supported browser for users running Windows 7, 8, and 8.1, as well as macOS 10.12 through 10.14. (If you are on a newer OS, Mozilla strongly advises migrating directly to ESR 140).

The latest version 115.37.0 update, which originated from the older 102.0esr branch, applies 11 vital security fixes. Legacy users receive patches for eight high-impact vulnerabilities, including a highly dangerous use-after-free bug in the HTTP component (CVE-2026-12291) and the same JIT miscompilation error affecting the modern branch (CVE-2026-12299).

Operating systems like Windows 7 no longer receive any official security support from Microsoft, making your web browser your absolute last line of defense. By pushing these high-severity memory safety and sandbox patches down to version 115, Mozilla ensures that older hardware doesn’t become a gaping security liability for users who haven’t yet upgraded their machines.

Whether you oversee thousands of workstations running ESR 140 or you are personally keeping an old Windows 7 laptop alive on ESR 115, do not delay this update.

To protect your system from these severe exploits, navigate to the Firefox menu, click on Help, and select About Firefox to force the download of version 140.12.0 or 115.37.0. Enterprise IT administrators should approve and push the patch through their standard endpoint management tools immediately.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.