Description
Memory safety bug fixed in Thunderbird ESR 140.12. This vulnerability was fixed in Firefox ESR 140.12 and Thunderbird 140.12.
Published: 2026-06-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves a memory safety bug that can result in buffer overflows, use‑after‑free conditions, or null pointer dereferences. This can corrupt application memory, potentially causing crashes or providing a foothold for malicious code if the flaw is successfully leveraged.

Affected Systems

Mozilla Firefox (Extended Support Release) prior to version 140.12 and Mozilla Thunderbird (Extended Support Release) prior to version 140.12 are affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. With an EPSS score below 1% and no listing in CISA KEV, exploitation is currently unlikely. Nevertheless, the flaw could be triggered by maliciously crafted email content or attachments, making the vector likely local or remote delivery of corrupted data. Successful exploitation would depend on an attacker’s ability to get the target to process the harmful input.

Generated by OpenCVE AI on June 17, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox ESR to version 140.12 or later.
  • Upgrade Thunderbird ESR to version 140.12 or later.
  • If an upgrade is not immediately possible, restrict the processing of potentially malformed email attachments and remain vigilant for abnormal crashes.

Generated by OpenCVE AI on June 17, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Memory safety bug fixed in Firefox ESR 140.12. This vulnerability was fixed in Firefox ESR 140.12. Memory safety bug fixed in Thunderbird ESR 140.12. This vulnerability was fixed in Firefox ESR 140.12 and Thunderbird 140.12.
Title Memory safety bug fixed in Firefox ESR 140.12 Memory safety bug fixed in Thunderbird ESR 140.12
References

Tue, 16 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-416
CWE-476
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Memory safety bug fixed in Firefox ESR 140.12. This vulnerability was fixed in Firefox ESR 140.12.
Title Memory safety bug fixed in Firefox ESR 140.12
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-16T16:08:46.826Z

Reserved: 2026-06-15T15:08:22.406Z

Link: CVE-2026-12329

cve-icon Vulnrichment

Updated: 2026-06-16T15:45:47.257Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-16T13:16:33.657

Modified: 2026-06-16T20:57:47.557

Link: CVE-2026-12329

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T14:45:15Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-416

    Use After Free

  • CWE-476

    NULL Pointer Dereference