Description
Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Published: 2026-06-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the Graphics: ImageLib component and permits a specially crafted image file to trigger a crash during processing. The resulting crash causes a temporary loss of functionality for the application, effectively denying service to legitimate users. Because the exploit does not provide a path to read, modify, or execute arbitrary code, confidentiality and integrity remain unaffected. The issue aligns with CWE-400 (Uncontrolled Resource Consumption) and CWE-1286 (Integer data source causes excessive allocation).

Affected Systems

Mozilla Firefox users of versions earlier than 152 are vulnerable; ESR builds 140.12 and 115.37 have the fix and are not affected. Likewise, all Mozilla Thunderbird releases older than 152 are vulnerable; ESR 140.12 does not contain the defect.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk level. The EPSS score of <1% suggests that exploitation is unlikely at this time, and the vulnerability is not present in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is remote, with an adversary delivering malicious image content via a web page or an email attachment to trigger the crash.

Generated by OpenCVE AI on June 18, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 152 or later; ESR 140.12 and 115.37 already contain the fix.
  • If an immediate upgrade is not possible, configure the application to enforce stricter memory limits on image processing to mitigate resource exhaustion effects.
  • Monitor application logs for repeated crashes or abnormal memory usage that may indicate exploitation attempts.

Generated by OpenCVE AI on June 18, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4635-1 firefox-esr security update
Debian DLA Debian DLA DLA-4636-1 thunderbird security update
Debian DSA Debian DSA DSA-6350-1 firefox-esr security update
Debian DSA Debian DSA DSA-6351-1 thunderbird security update
History

Thu, 18 Jun 2026 16:45:00 +0000


Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37. Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
References

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
Title Denial-of-service in the Graphics: ImageLib component
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-16T16:08:44.643Z

Reserved: 2026-06-15T15:08:21.546Z

Link: CVE-2026-12325

cve-icon Vulnrichment

Updated: 2026-06-16T14:45:10.694Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-16T13:16:33.267

Modified: 2026-06-16T17:16:37.993

Link: CVE-2026-12325

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-16T11:52:58Z

Links: CVE-2026-12325 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:15:03Z

Weaknesses
  • CWE-1286

    Improper Validation of Syntactic Correctness of Input

  • CWE-400

    Uncontrolled Resource Consumption