Description
Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Published: 2026-06-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A memory safety bug identified in Mozilla Firefox and Thunderbird can cause unpredictable behavior or a crash. The weakness involves an insecure memory operation, classified as a buffer overflow (CWE‑119) or an improper storage of sensitive information (CWE‑825). The official description confirms that the issue has been fixed in version 152 of both browsers and in ESR 140.12. While the exact impact on confidentiality, integrity or availability is not explicitly detailed, a vulnerable instance could potentially be exploited to terminate the program or, in a more severe scenario, to execute arbitrary code if the overflow is triggered in a context that allows code execution.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. For Firefox the fix is available in version 152 and in the ESR branch at 140.12. Thunderbird receives its mitigation in releases 152 and 140.12. No other browsers or products are listed as impacted.

Risk and Exploitability

The CVSS score of 5.3 suggests a medium severity. The EPSS score of less than 1% indicates a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is inferred to be local or requires a crafted input, as the vulnerability is a memory safety issue. With no known exploitation reports, the overall risk is moderate to low for most environments, yet users should still apply the fix to prevent potential exploitation.

Generated by OpenCVE AI on June 18, 2026 at 21:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 152 or later, or to ESR 140.12 or newer
  • Update Mozilla Thunderbird to version 152 or newer, or to ESR 140.12 or newer
  • If an immediate update is not possible, avoid using features that may trigger the unsafe memory operation until a patch is applied

Generated by OpenCVE AI on June 18, 2026 at 21:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4635-1 firefox-esr security update
Debian DLA Debian DLA DLA-4636-1 thunderbird security update
Debian DSA Debian DSA DSA-6350-1 firefox-esr security update
Debian DSA Debian DSA DSA-6351-1 thunderbird security update
History

Thu, 18 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Title Memory safety bug fixed in Thunderbird 152 Memory safety bug fixed in Firefox 152

Thu, 18 Jun 2026 16:45:00 +0000


Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12. Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Title Memory safety bug fixed in Firefox 152 Memory safety bug fixed in Thunderbird 152
References

Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Title Memory safety bug fixed in Firefox 152
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-18T18:00:50.137Z

Reserved: 2026-06-15T15:08:13.454Z

Link: CVE-2026-12307

cve-icon Vulnrichment

Updated: 2026-06-16T17:37:11.140Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-16T13:16:30.933

Modified: 2026-06-16T19:16:33.140

Link: CVE-2026-12307

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-16T11:52:40Z

Links: CVE-2026-12307 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:00:12Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-825

    Expired Pointer Dereference