Description
Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The reported bugs are classic memory safety violations, specifically buffer overrun or underrun weaknesses classified as CWE-119 and a data‑overlap or out‑of‑bounds write weakness classified as CWE-787. The description indicates that memory corruption was observed and that, with enough effort, the bugs could have been exploited to execute arbitrary code, which is the most severe impact on confidentiality, integrity, and availability.

Affected Systems

Vulnerabilities exist in Firefox ESR 140.11 and the non‑ESR release Firefox 151, as well as in Thunderbird ESR 140.11 and Thunderbird 151. The issue was corrected in Firefox 152 and the ESR branch 140.12, with the same updates applied to Thunderbird 152 and Thunderbird ESR 140.12. Any system that remains on one of the earlier releases is exposed.

Risk and Exploitability

The CVSS score of 8.1 signals a high severity vulnerability, while the EPSS score of less than 1 % indicates that exploitation is currently unlikely on a broad scale. The vulnerability is not listed in CISA’s KEV catalogue. The exploit path is not explicitly detailed in the advisory; it is inferred that an attacker would need to supply crafted input that triggers memory corruption, possibly through malicious content such as a web page or email, requiring user interaction. Because the vulnerability remains theoretically exploitable, organizations should consider the possibility of remote code execution as a risk.

Generated by OpenCVE AI on June 18, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 152 or later, or to ESR 140.12 or later if using the ESR release line.
  • Upgrade Thunderbird to version 152 or later, or to ESR 140.12 or later if using the ESR release line.
  • Enable automatic updates on all affected browsers to ensure future patches are applied promptly.

Generated by OpenCVE AI on June 18, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4635-1 firefox-esr security update
Debian DLA Debian DLA DLA-4636-1 thunderbird security update
Debian DSA Debian DSA DSA-6350-1 firefox-esr security update
Debian DSA Debian DSA DSA-6351-1 thunderbird security update
History

Thu, 18 Jun 2026 16:45:00 +0000


Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12. Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
References

Tue, 16 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Title Memory safety bugs fixed in Firefox ESR 140.12, Thunderbird ESR 140.12, Firefox 152 and Thunderbird 152
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-17T11:08:52.536Z

Reserved: 2026-06-15T15:08:22.115Z

Link: CVE-2026-12327

cve-icon Vulnrichment

Updated: 2026-06-16T15:47:07.524Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-16T13:16:33.473

Modified: 2026-06-16T17:16:38.330

Link: CVE-2026-12327

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-16T11:53:00Z

Links: CVE-2026-12327 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:30:15Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-787

    Out-of-bounds Write