CVE-2026-12326 - Vulnerability Details

- Memory safety bugs fixed in Firefox 152 and Thunderbird 152

Description

Memory safety bugs present in Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

Published: 2026-06-16

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Mozilla released memory safety bugs in Firefox 151 and Thunderbird 151 that caused memory corruption. The bugs exhibit the potential to be exploited for arbitrary code execution. The weakness is categorized as CWE‑119, which affects buffer handling and can lead to arbitrary code execution when triggered.

Affected Systems

The affected products are Mozilla Firefox and Mozilla Thunderbird. Versions up to and including 151 are vulnerable; the vulnerability was fixed in Firefox 152 and Thunderbird 152.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity risk. The EPSS score is less than 1 %, suggesting that exploitation of this vulnerability is currently unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. The attack vector is not explicitly stated in the advisory, but based on the description it is inferred that the exploit would require the affected application to be executed, potentially with user interaction or via a malicious webpage or email attachment. No public proof‑of‑concept is disclosed, so the likelihood remains low, yet the high impact warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`152`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`152`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Mozilla

Firefox

100%

Version	Status	Scheme	Platform
`[152,*]`	unaffected	generic	—

Mozilla

Thunderbird

75%

Version	Status	Scheme	Platform
`151`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Firefox 152 or newer, and Thunderbird 152 or newer; the patch removes the memory safety bugs.
Restrict execution of untrusted add‑ons or plugins in Firefox, and quarantine or disable processing of untrusted email attachments in Thunderbird until the patch is applied.
Continuously monitor application logs and system activity for anomalous memory access or crashes that could indicate an attempt to exploit similar memory corruption vulnerabilities.

Generated by OpenCVE AI on June 17, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00222.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1767455%2C2004308%2C2024445%2C2028182%2C2029765%2C2029883%2C2030110%2C2030149%2C2030366%2C2030374%2C2030564%2C2031120%2C2033411%2C2038695%2C2042465%2C2042781%2C2042907
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2021955%2C2025960%2C2029066%2C2029403%2C2029435%2C2029803%2C2030570%2C2030573%2C2032264%2C2033234%2C2034816%2C2035907%2C2035963%2C2036895%2C2036898%2C2036907%2C2036909%2C2036928%2C2036931%2C2036932%2C2036934%2C2039238%2C2039463
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2039050%2C2042718%2C2042760%2C2044831%2C2045307%2C2045398%2C2045516%2C2045572%2C2041741%2C2044433
https://www.mozilla.org/security/advisories/mfsa2026-57/
https://www.mozilla.org/security/advisories/mfsa2026-60/

History

Wed, 17 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 16 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description	Memory safety bugs present in Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152.	Memory safety bugs present in Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
References		https://www.mozilla.org/security/advisories/mfsa2026-60/

Tue, 16 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 16 Jun 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla thunderbird
Vendors & Products		Mozilla Mozilla firefox Mozilla thunderbird

Tue, 16 Jun 2026 13:15:00 +0000

Type	Values Removed	Values Added
Description		Memory safety bugs present in Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152.
Title		Memory safety bugs fixed in Firefox 152 and Thunderbird 152
References		https://bugzilla.mozilla.org/buglist.cgi?bug_id=1767455%2C2004308%2C2024445%2C2028182%2C2029765%2C2029883%2C2030110%2C2030149%2C2030366%2C2030374%2C2030564%2C2031120%2C2033411%2C2038695%2C2042465%2C2042781%2C2042907 https://bugzilla.mozilla.org/buglist.cgi?bug_id=2021955%2C2025960%2C2029066%2C2029403%2C2029435%2C2029803%2C2030570%2C2030573%2C2032264%2C2033234%2C2034816%2C2035907%2C2035963%2C2036895%2C2036898%2C2036907%2C2036909%2C2036928%2C2036931%2C2036932%2C2036934%2C2039238%2C2039463 https://bugzilla.mozilla.org/buglist.cgi?bug_id=2039050%2C2042718%2C2042760%2C2044831%2C2045307%2C2045398%2C2045516%2C2045572%2C2041741%2C2044433 https://www.mozilla.org/security/advisories/mfsa2026-57/

Subscriptions

Mozilla Firefox Thunderbird

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2026-06-16T11:52:59.767Z

Updated: 2026-06-17T11:09:23.959Z

Reserved: 2026-06-15T15:08:21.967Z

Link: CVE-2026-12326

Vulnrichment

Updated: 2026-06-16T15:48:43.540Z

NVD

Status : Undergoing Analysis

Published: 2026-06-16T13:16:33.380

Modified: 2026-06-16T17:16:38.157

Link: CVE-2026-12326

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-16T14:45:15Z

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object