Description
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Published: 2026-06-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a memory safety bug that can result in out-of-bounds read (CWE-125), out-of-bounds write (CWE-787), use‑after‑free (CWE-416), and type confusion (CWE-843) conditions. These weaknesses can allow an attacker to read sensitive data from memory, corrupt program state, or crash the application, thereby compromising confidentiality and availability.

Affected Systems

The flaw affects Mozilla Firefox and Mozilla Thunderbird versions prior to 152 (or Firefox ESR 140.12 and Thunderbird ESR 140.12). The bug was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The EPSS score of <1% shows a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. It is inferred that exploitation would likely require an attacker to deliver malicious content to the application, such as a crafted email or attachment, or to exploit local privileges during processing.

Generated by OpenCVE AI on June 18, 2026 at 21:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Mozilla Firefox release (152 or newer) or apply the ESR 140.12 update.
  • Update to the latest Mozilla Thunderbird release (152 or newer) or apply the ESR 140.12 update.
  • If a patch cannot be applied immediately, avoid using the compromised versions and disable any untrusted extensions that may interact with email content until the update is installed.

Generated by OpenCVE AI on June 18, 2026 at 21:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4635-1 firefox-esr security update
Debian DLA Debian DLA DLA-4636-1 thunderbird security update
Debian DSA Debian DSA DSA-6350-1 firefox-esr security update
Debian DSA Debian DSA DSA-6351-1 thunderbird security update
History

Thu, 18 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Title Memory safety bug fixed in Thunderbird 152 Memory safety bug fixed in Firefox 152

Thu, 18 Jun 2026 16:45:00 +0000


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12. Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Title Memory safety bug fixed in Firefox 152 Memory safety bug fixed in Thunderbird 152
References

Tue, 16 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-416
CWE-787
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Title Memory safety bug fixed in Firefox 152
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-30T12:05:55.065Z

Reserved: 2026-06-15T15:08:09.561Z

Link: CVE-2026-12298

cve-icon Vulnrichment

Updated: 2026-06-30T02:41:47.663Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-16T13:16:30.040

Modified: 2026-06-16T20:30:50.763

Link: CVE-2026-12298

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-16T11:52:31Z

Links: CVE-2026-12298 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:00:12Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-416

    Use After Free

  • CWE-787

    Out-of-bounds Write

  • CWE-843

    Access of Resource Using Incompatible Type ('Type Confusion')