Description
JIT miscompilation in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Published: 2026-06-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JIT miscompilation occurs in the DOM: Core & HTML component, causing the just‑in‑time compiler to generate incorrect machine code for certain JavaScript execution paths. The flaw involves an improper conversion of data (CWE‑843) and may also stem from a missing default case in switch handling (CWE‑733). The resulting undesired execution behavior could enable an attacker to run non‑intended code within the browser or email client process.

Affected Systems

Mozilla Firefox versions 152 and the ESR branches 140.12 and 115.37, and Mozilla Thunderbird versions 152 and the ESR branch 140.12 are affected. Any client running these releases or older ones is vulnerable.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. Based on the nature of the JIT miscompilation, the likely attack vector involves a malicious web page or embedded content that executes JavaScript, though this is inferred from the description and not verified by any exploitation evidence.

Generated by OpenCVE AI on June 18, 2026 at 18:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 152 or later, or to the ESR 140.12 or 115.37 release.
  • Upgrade to Thunderbird 152 or later, or to the ESR 140.12 release.
  • Enable automatic updates to receive security patches promptly.

Generated by OpenCVE AI on June 18, 2026 at 18:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4635-1 firefox-esr security update
Debian DLA Debian DLA DLA-4636-1 thunderbird security update
Debian DSA Debian DSA DSA-6350-1 firefox-esr security update
Debian DSA Debian DSA DSA-6351-1 thunderbird security update
History

Thu, 18 Jun 2026 16:45:00 +0000


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description JIT miscompilation in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37. JIT miscompilation in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
References

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-843
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description JIT miscompilation in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
Title JIT miscompilation in the DOM: Core & HTML component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-30T12:05:54.790Z

Reserved: 2026-06-15T15:08:10.195Z

Link: CVE-2026-12299

cve-icon Vulnrichment

Updated: 2026-06-30T02:41:44.452Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-16T13:16:30.147

Modified: 2026-06-16T20:35:17.590

Link: CVE-2026-12299

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-16T11:52:32Z

Links: CVE-2026-12299 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:15:02Z

Weaknesses
  • CWE-733

    Compiler Optimization Removal or Modification of Security-critical Code

  • CWE-843

    Access of Resource Using Incompatible Type ('Type Confusion')