Description
Use-after-free in the Networking: HTTP component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a use‑after‑free bug in the Networking: HTTP component. The flaw can be triggered by malicious network traffic that results in a dangling pointer dereference, allowing an attacker to execute arbitrary code in the context of the vulnerable application.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. Versions earlier than Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12 contain the vulnerability; all later releases contain the patch.

Risk and Exploitability

The CVSS score is 8.8, indicating high severity, while the EPSS score is below 1 % and the flaw is not listed in the CISA KEV catalog. The vulnerability can be exploited remotely through crafted HTTP traffic without requiring authentication, making systems exposed to untrusted network data at high risk.

Generated by OpenCVE AI on June 18, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Mozilla Firefox 152 or newer, or to the latest Firefox ESR 140.12 or 115.37 release.
  • Upgrade to Mozilla Thunderbird 152 or newer, or to the latest Thunderbird ESR 140.12 release.
  • If an immediate upgrade is not possible, isolate the affected applications from untrusted network connections or limit external HTTP traffic until the update can be applied.

Generated by OpenCVE AI on June 18, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6350-1 firefox-esr security update
Debian DSA Debian DSA DSA-6351-1 thunderbird security update
History

Thu, 18 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE‑416

Thu, 18 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE‑416

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Use-after-free in the Networking: HTTP component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37. Use-after-free in the Networking: HTTP component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
References

Tue, 16 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Use-after-free in the Networking: HTTP component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
Title Use-after-free in the Networking: HTTP component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-18T16:11:30.479Z

Reserved: 2026-06-15T15:08:06.495Z

Link: CVE-2026-12291

cve-icon Vulnrichment

Updated: 2026-06-18T14:28:49.254Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-16T13:16:29.363

Modified: 2026-06-16T17:16:32.983

Link: CVE-2026-12291

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-16T11:52:24Z

Links: CVE-2026-12291 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:15:04Z

Weaknesses