Description
Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a use-after-free flaw in the WebGPU component of Mozilla’s rendering engine. The flaw can cause memory corruption when the component accesses freed memory, potentially enabling execution of arbitrary code. The weakness is represented by CWE-416 (Use After Free).

Affected Systems

The flaw affects Mozilla’s products Firefox and Thunderbird on all versions released prior to version 152. Those customers should verify that their installations are at least at version 152 or later.

Risk and Exploitability

The EPSS score is below 1%, indicating a very low probability of immediate exploitation, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is a maliciously crafted web page that is rendered in a browser or mail client using WebGPU; once the client processes the page, the use-after-free can be triggered. The CVSS score of 9.8 indicates critical severity. Because the flaw resides in a low-level graphics component, successful exploitation requires the attacker to have access to the user’s machine, either through a privileged user or by luring the user to visit the malicious content.

Generated by OpenCVE AI on June 18, 2026 at 22:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 152 or later.
  • Update Thunderbird to version 152 or later.
  • If an immediate update is not possible, disable WebGPU by setting dom.webgpu.enabled to false in the about:config preferences.

Generated by OpenCVE AI on June 18, 2026 at 22:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152. Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
References

Tue, 16 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152.
Title Use-after-free in the Graphics: WebGPU component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-18T16:11:19.122Z

Reserved: 2026-06-15T15:08:07.470Z

Link: CVE-2026-12293

cve-icon Vulnrichment

Updated: 2026-06-18T14:25:55.825Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-16T13:16:29.553

Modified: 2026-06-16T17:16:33.200

Link: CVE-2026-12293

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:45:16Z

Weaknesses