Description
Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The reported issue is incorrect handling of boundary conditions within the Web Audio component. This flaw could result in memory corruption if an attacker supplies crafted audio data that triggers invalid buffer access. The specific impact is not detailed in the advisory, but such corruption could potentially lead to execution of arbitrary code or denial‑of‑service, depending on how the corrupted memory is interpreted. These possibilities are inferred because the advisory does not explicitly state the outcome of exploitation.

Affected Systems

The vulnerability affects Mozilla Firefox versions older than 152 and the Firefox Extended Support Release 140.12, as well as Mozilla Thunderbird versions older than 152 and the Thunderbird Extended Support Release 140.12. Users running any earlier release are potentially vulnerable.

Risk and Exploitability

The EPSS score is reported as less than 1%, indicating a low probability of active exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Because the advisory mentions fixes in new releases, CVSS score 8.1 indicates high severity, but the low exploit likelihood suggests that the risk is currently moderate until an exploit becomes available. The lack of an explicit exploitation vector in the advisory makes it difficult to assess the exact attack path; it is inferred that a malicious web page or email containing crafted audio payload could be used to trigger the boundary error, but this inference is not confirmed by the CVE description.

Generated by OpenCVE AI on June 18, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 152 or later, or upgrade to the Firefox Extended Support Release 140.12.
  • Update Mozilla Thunderbird to version 152 or later, or upgrade to Thunderbird Extended Support Release 140.12.
  • If updating immediately is not feasible, disable the Web Audio feature via browser or email client preferences to prevent the vulnerable component from processing audio data.
  • Monitor security advisories from Mozilla for any additional mitigation steps or patches.

Generated by OpenCVE AI on June 18, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6350-1 firefox-esr security update
Debian DSA Debian DSA DSA-6351-1 thunderbird security update
History

Thu, 18 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12. Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
References

Tue, 16 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Title Incorrect boundary conditions in the Web Audio component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-18T16:11:24.882Z

Reserved: 2026-06-15T15:08:07.009Z

Link: CVE-2026-12292

cve-icon Vulnrichment

Updated: 2026-06-18T14:27:57.775Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-16T13:16:29.457

Modified: 2026-06-16T17:16:33.097

Link: CVE-2026-12292

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-16T11:52:25Z

Links: CVE-2026-12292 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:15:04Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-787

    Out-of-bounds Write