CVE-2026-12297 - Vulnerability Details

- Sandbox escape due to incorrect boundary conditions in the Networking component

Description

Sandbox escape due to incorrect boundary conditions in the Networking component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Published: 2026-06-16

Score: 9.6 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from incorrect boundary checks in the Networking component, which can cause a sandbox escape and allow an attacker to execute code with elevated privileges. This flaw directly threatens the integrity and confidentiality of the affected system by granting the attacker the ability to run arbitrary code.

Affected Systems

Mozilla products that are impacted include Firefox and Thunderbird versions older than 152. The fix was delivered in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37, as well as in Thunderbird 152 and Thunderbird ESR 140.12. The issue is confined to the Networking component of these browsers and does not affect later releases.

Risk and Exploitability

The EPSS score of less than 1 % denotes a very low but non‑zero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the most likely attack vector involves processing untrusted network content, such as visiting a malicious website or opening an infected email attachment; once this boundary error is triggered, the sandbox can be bypassed and arbitrary code may run. The CVSS score of 9.6 indicates a critical severity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`115.37`	unaffected	≤ 115.*
`140.12`	unaffected	≤ 140.*
`152`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`140.12`	unaffected	≤ 140.*
`152`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Mozilla

Firefox

100%

Version	Status	Scheme	Platform
`[115.37,115.*]`	unaffected	generic	—
`[140.12,140.*]`	unaffected	generic	—
`[152,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to the latest version of Firefox or Thunderbird that contains the fix (e.g., Firefox 152 or ESR 140.12/115.37, Thunderbird 152 or ESR 140.12).
Configure the browser’s security settings to a higher level or enable strict sandboxing to prevent untrusted network content from executing before the fix is applied.
Continuously monitor Mozilla security advisories and apply subsequent patches promptly.

Generated by OpenCVE AI on June 18, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6350-1	firefox-esr security update
Debian DSA	DSA-6351-1	thunderbird security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00156.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=2041610
https://nvd.nist.gov/vuln/detail/CVE-2026-12297
https://www.cve.org/CVERecord?id=CVE-2026-12297
https://www.mozilla.org/security/advisories/mfsa2026-57/
https://www.mozilla.org/security/advisories/mfsa2026-58/
https://www.mozilla.org/security/advisories/mfsa2026-58/#CVE-2026-12297
https://www.mozilla.org/security/advisories/mfsa2026-59/
https://www.mozilla.org/security/advisories/mfsa2026-60/
https://www.mozilla.org/security/advisories/mfsa2026-61/
https://www.mozilla.org/security/advisories/mfsa2026-61/#CVE-2026-12297

History

Thu, 18 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-653
References		https://nvd.nist.gov/vuln/detail/CVE-2026-12297 https://www.cve.org/CVERecord?id=CVE-2026-12297 https://www.mozilla.org/security/advisories/mfsa2026-58/#CVE-2026-12297 https://www.mozilla.org/security/advisories/mfsa2026-61/#CVE-2026-12297
Metrics	threat_severity `None`	cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}` threat_severity `Important`

Tue, 16 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description	Sandbox escape due to incorrect boundary conditions in the Networking component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.	Sandbox escape due to incorrect boundary conditions in the Networking component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
References		https://www.mozilla.org/security/advisories/mfsa2026-60/ https://www.mozilla.org/security/advisories/mfsa2026-61/

Tue, 16 Jun 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox
Vendors & Products		Mozilla Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type	Values Removed	Values Added
Description		Sandbox escape due to incorrect boundary conditions in the Networking component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
Title		Sandbox escape due to incorrect boundary conditions in the Networking component
References		https://bugzilla.mozilla.org/show_bug.cgi?id=2041610 https://www.mozilla.org/security/advisories/mfsa2026-57/ https://www.mozilla.org/security/advisories/mfsa2026-58/ https://www.mozilla.org/security/advisories/mfsa2026-59/

Subscriptions

Mozilla Firefox

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2026-06-16T11:52:30.907Z

Updated: 2026-06-18T16:10:54.170Z

Reserved: 2026-06-15T15:08:09.151Z

Link: CVE-2026-12297

Vulnrichment

Updated: 2026-06-18T14:05:49.387Z

NVD

Status : Undergoing Analysis

Published: 2026-06-16T13:16:29.927

Modified: 2026-06-16T17:16:33.660

Link: CVE-2026-12297

Redhat

Severity : Important

Publid Date: 2026-06-16T11:52:30Z

Links: CVE-2026-12297 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-18T18:15:02Z

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-653
Improper Isolation or Compartmentalization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object