Description
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a memory safety flaw affecting Mozilla Firefox and Thunderbird, identified as a buffer overflow (CWE‑119) and an improper free of memory not owned (CWE‑823). The bug allows an attacker to corrupt process memory, which may result in arbitrary code execution or sensitive data disclosure. The description does not provide a specific exploitation path, but such memory corruption vulnerabilities commonly permit privilege escalation or remote code execution if the attacker can influence memory usage.

Affected Systems

Mozilla Firefox users running a version earlier than 152, including the ESR tracks 140.12 and 115.37, are affected. Mozilla Thunderbird users on any version before 152 are also vulnerable. The fix is available in those later releases, so systems with the fixed versions are no longer at risk.

Risk and Exploitability

The EPSS score is reported as less than 1%, indicating the known probability of exploitation is very low, and it is not listed in CISA’s KEV catalog. The CVSS score is 8.1, indicating a high severity. The likely attack vector is local or file‑based, meaning the attacker would need to deliver malicious content that triggers the bug. Given the low exploitation probability, the overall risk for most organizations is moderate, but the potential impact warrants prompt remediation.

Generated by OpenCVE AI on June 19, 2026 at 00:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 152 or later, or to the latest available ESR release (140.12 or newer).
  • Update Mozilla Thunderbird to version 152 or newer; for older ESR branches apply the corresponding update that includes the fix.
  • If an immediate update is not possible, disable or remove legacy extensions or add‑ons that might supply malformed data, and ensure that recent security patches are applied in the OS package manager.

Generated by OpenCVE AI on June 19, 2026 at 00:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6350-1 firefox-esr security update
Debian DSA Debian DSA DSA-6351-1 thunderbird security update
History

Thu, 18 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
CWE-787

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Thu, 18 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Title Memory safety bug fixed in Thunderbird 152 Memory safety bug fixed in Firefox 152

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-823
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
CWE-787

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37. Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Title Memory safety bug fixed in Firefox 152 Memory safety bug fixed in Thunderbird 152
References

Tue, 16 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
Title Memory safety bug fixed in Firefox 152
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-18T18:00:44.212Z

Reserved: 2026-06-15T15:08:06.073Z

Link: CVE-2026-12290

cve-icon Vulnrichment

Updated: 2026-06-17T13:42:36.771Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-16T13:16:29.267

Modified: 2026-06-16T17:16:32.883

Link: CVE-2026-12290

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-16T11:52:23Z

Links: CVE-2026-12290 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:30:17Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-823

    Use of Out-of-range Pointer Offset