diff --git a/gnu/local.mk b/gnu/local.mk
index 2c303b0575..f7d6d5db95 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1833,6 +1833,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libutils-remove-damaging-includes.patch	\
   %D%/packages/patches/libvdpau-va-gl-unbundle.patch		\
   %D%/packages/patches/libvpx-CVE-2016-2818.patch		\
+  %D%/packages/patches/libvpx-CVE-2026-2447.patch		\
   %D%/packages/patches/libxcb-path-max.patch			\
   %D%/packages/patches/libxml2-xpath0-Add-option-xpath0.patch	\
   %D%/packages/patches/libwpd-gcc-compat.patch			\
diff --git a/gnu/packages/patches/libvpx-CVE-2026-2447.patch b/gnu/packages/patches/libvpx-CVE-2026-2447.patch
new file mode 100644
index 0000000000..bec51a7dd4
--- /dev/null
+++ b/gnu/packages/patches/libvpx-CVE-2026-2447.patch
@@ -0,0 +1,96 @@
+Copied from <https://chromium.googlesource.com/webm/libvpx/+/d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1%5E!/>
+See also: <https://www.mozilla.org/en-US/security/advisories/mfsa2026-10/#CVE-2026-2447>
+     and: <https://github.com/mozilla-firefox/firefox/commit/45e0cda30d01f798f17202aa4f9191bed164d40f>
+
+
+From d5f35ac8d93cba7f7a3f7ddb8f9dc8bd28f785e1 Mon Sep 17 00:00:00 2001
+From: Wan-Teh Chang <wtc@google.com>
+Date: Wed, 21 Jan 2026 18:03:55 -0800
+Subject: [PATCH] write_superframe_index: return 0 if buffer is full
+
+write_superframe_index() should return the number of bytes written to
+ctx->pending_cx_data. If ctx->pending_cx_data is full,
+write_superframe_index() doesn't write the optional superframe index, so
+it should return 0 in this case. Add an assertion that would have
+detected this bug. Add and clarify comments for code related to this
+bug.
+
+Also fix the buffer full check. The check should not assume that
+ctx->pending_cx_data is equal to ctx->cx_data, and the check had an
+off-by-one error.
+
+The bug was introduced when write_superframe_index() was added in the
+following CLs:
+https://chromium-review.googlesource.com/c/webm/libvpx/+/44659
+https://chromium-review.googlesource.com/c/webm/libvpx/+/45268
+
+Bug: oss-fuzz:476466137
+Change-Id: Ie113568cf25acc73f8af640a3c51cfdb5b900613
+---
+ vp9/vp9_cx_iface.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/vp9/vp9_cx_iface.c b/vp9/vp9_cx_iface.c
+index 83f45b01b..ab9c582db 100644
+--- a/vp9/vp9_cx_iface.c
++++ b/vp9/vp9_cx_iface.c
+@@ -8,7 +8,9 @@
+  *  be found in the AUTHORS file in the root of the source tree.
+  */
+ 
++#include <assert.h>
+ #include <limits.h>
++#include <stddef.h>
+ #include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -122,6 +124,7 @@ struct vpx_codec_alg_priv {
+   VP9_COMP *cpi;
+   unsigned char *cx_data;
+   size_t cx_data_sz;
++  // pending_cx_data either is a null pointer or points into the cx_data buffer.
+   unsigned char *pending_cx_data;
+   size_t pending_cx_data_sz;
+   int pending_frame_count;
+@@ -1253,8 +1256,12 @@ static int write_superframe_index(vpx_codec_alg_priv_t *ctx) {
+ 
+   // Write the index
+   index_sz = 2 + (mag + 1) * ctx->pending_frame_count;
+-  if (ctx->pending_cx_data_sz + index_sz < ctx->cx_data_sz) {
+-    uint8_t *x = ctx->pending_cx_data + ctx->pending_cx_data_sz;
++  unsigned char *cx_data_end = ctx->cx_data + ctx->cx_data_sz;
++  unsigned char *pending_cx_data_end =
++      ctx->pending_cx_data + ctx->pending_cx_data_sz;
++  ptrdiff_t space_remaining = cx_data_end - pending_cx_data_end;
++  if (index_sz <= space_remaining) {
++    uint8_t *x = pending_cx_data_end;
+     int i, j;
+ #ifdef TEST_SUPPLEMENTAL_SUPERFRAME_DATA
+     uint8_t marker_test = 0xc0;
+@@ -1285,6 +1292,8 @@ static int write_superframe_index(vpx_codec_alg_priv_t *ctx) {
+ #ifdef TEST_SUPPLEMENTAL_SUPERFRAME_DATA
+     index_sz += index_sz_test;
+ #endif
++  } else {
++    index_sz = 0;
+   }
+   return index_sz;
+ }
+@@ -1613,9 +1622,12 @@ static vpx_codec_err_t encoder_encode(vpx_codec_alg_priv_t *ctx,
+               ctx->pending_frame_sizes[ctx->pending_frame_count++] = size;
+             ctx->pending_frame_magnitude |= size;
+             ctx->pending_cx_data_sz += size;
+-            // write the superframe only for the case when
+-            if (!ctx->output_cx_pkt_cb.output_cx_pkt)
++            // write the superframe only for the case when the callback function
++            // for getting per-layer packets is not registered.
++            if (!ctx->output_cx_pkt_cb.output_cx_pkt) {
+               size += write_superframe_index(ctx);
++              assert(size <= cx_data_sz);
++            }
+             pkt.data.frame.buf = ctx->pending_cx_data;
+             pkt.data.frame.sz = ctx->pending_cx_data_sz;
+             ctx->pending_cx_data = NULL;
+-- 
+2.52.0
+
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 2ee75b95a7..c06a5f0448 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -3132,6 +3132,7 @@ wallpaper using mpv.")
   (package
     (name "libvpx")
     (version "1.15.2")
+    (replacement libvpx/fixed)
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -3170,6 +3171,11 @@ wallpaper using mpv.")
     (license license:bsd-3)
     (home-page "https://www.webmproject.org/")))
 
+(define-public libvpx/fixed
+  (hidden-package
+   (package-with-extra-patches libvpx
+                               (search-patches "libvpx-CVE-2026-2447.patch"))))
+
 (define-public orfondl
   (package
     (name "orfondl")