Description
Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves memory safety bugs that can corrupt memory during processing of data in Mozilla Firefox and Thunderbird browsers. The bugs are facilitated by a buffer overflow flaw (CWE‑120) and by improper validation of memory allocations (CWE‑825). When successfully exploited, an attacker could potentially execute arbitrary code with the privileges of the user running the browser. The description notes that with sufficient effort some of these bugs could have been exploited to run arbitrary code, indicating a high impact if exploitation is achieved.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected, specifically the following builds: Firefox ESR 115.36, Firefox ESR 140.11, Firefox 151, Thunderbird ESR 140.11, and Thunderbird 151. These vulnerabilities were fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. Users running any of the listed affected versions should check for and install the corresponding patched releases.

Risk and Exploitability

The CVSS score of 8.1 indicates that this is a high‑severity condition. The EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is currently low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves delivering crafted content or files that trigger the memory corruption while the browser parses them; therefore user interaction or the processing of untrusted data is likely required.

Generated by OpenCVE AI on June 18, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox and Thunderbird to at least the patched versions (Firefox 152 or ESR 140.12/115.37; Thunderbird 152 or ESR 140.12).
  • If an immediate update cannot be performed, restrict the processing of untrusted web content by disabling or limiting JavaScript, active content, or extensions that handle external data.
  • Review Mozilla security advisories to confirm the exact patch levels and apply any additional configuration steps recommended by Mozilla for protecting against memory corruption vulnerabilities.

Generated by OpenCVE AI on June 18, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4635-1 firefox-esr security update
Debian DLA Debian DLA DLA-4636-1 thunderbird security update
Debian DSA Debian DSA DSA-6350-1 firefox-esr security update
Debian DSA Debian DSA DSA-6351-1 thunderbird security update
History

Thu, 18 Jun 2026 16:45:00 +0000


Tue, 16 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37. Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
References

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
Title Memory safety bugs fixed in Firefox ESR 115.37, Firefox ESR 140.12, Thunderbird ESR 140.12, Firefox 152 and Thunderbird 152
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-30T12:05:54.510Z

Reserved: 2026-06-15T15:08:22.260Z

Link: CVE-2026-12328

cve-icon Vulnrichment

Updated: 2026-06-30T02:41:44.054Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-16T13:16:33.567

Modified: 2026-06-16T20:58:59.217

Link: CVE-2026-12328

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-16T11:53:01Z

Links: CVE-2026-12328 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:30:15Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-825

    Expired Pointer Dereference