Description
Incorrect boundary conditions in the Internationalization component. This vulnerability was fixed in Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 140.12.
Published: 2026-06-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Incorrect boundary conditions in the Internationalization component can lead to a buffer overflow (CWE‑119) and integer overflow (CWE‑131). If triggered, an attacker may cause the application to crash or, in the worst case, execute arbitrary code on the affected host. The weakness arises from improper handling of internationalized input, which can corrupt memory if supplied data exceeds expected limits or when size calculations fail.

Affected Systems

The vulnerability affects Mozilla Firefox ESR and Thunderbird installations that are older than the versions where the issue was fixed: Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 140.12. Any user running earlier ESR releases of either product without these specific patches is vulnerable.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1% suggests a low probability of real‑world exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a maliciously crafted internationalized string delivered via a web page or email; the exact method of exploitation is not detailed in the advisory, so this inference is made from the nature of the weakness.

Generated by OpenCVE AI on June 18, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox ESR 140.12 or later and to Thunderbird 140.12 or later, ensuring the installed release matches the fixed revisions.
  • If an immediate upgrade is not feasible, disable or restrict automatic processing of internationalized input in the affected application’s configuration to mitigate the risk of a buffer overflow.
  • Continuously monitor Mozilla’s security advisories and apply subsequent patches as they are released.

Generated by OpenCVE AI on June 18, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4635-1 firefox-esr security update
Debian DLA Debian DLA DLA-4636-1 thunderbird security update
Debian DSA Debian DSA DSA-6350-1 firefox-esr security update
Debian DSA Debian DSA DSA-6351-1 thunderbird security update
History

Thu, 18 Jun 2026 16:45:00 +0000


Tue, 16 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Internationalization component. This vulnerability was fixed in Firefox ESR 140.12 and Firefox ESR 115.37. Incorrect boundary conditions in the Internationalization component. This vulnerability was fixed in Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 140.12.
References

Tue, 16 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Internationalization component. This vulnerability was fixed in Firefox ESR 140.12 and Firefox ESR 115.37.
Title Incorrect boundary conditions in the Internationalization component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-06-16T16:08:47.339Z

Reserved: 2026-06-15T15:08:22.804Z

Link: CVE-2026-12330

cve-icon Vulnrichment

Updated: 2026-06-16T15:08:23.101Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-16T13:16:33.747

Modified: 2026-06-16T20:56:24.123

Link: CVE-2026-12330

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-16T11:53:03Z

Links: CVE-2026-12330 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:30:15Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-131

    Incorrect Calculation of Buffer Size