Mozilla Patches 11 CVEs in Firefox and Thunderbird, Including Critical DOM Bypass

Key findings

• One critical mitigation bypass (CVE-2026-12315, CVSS 9.1) in the DOM Security component
• Multiple high-severity memory safety bugs (CVE-2026-12326, CVE-2026-12324, CVE-2026-12318) at CVSS 7.3
• Sandbox escape (CVE-2026-12297) due to incorrect boundary conditions in Networking
• All flaws fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12
• No evidence of active exploitation reported at time of disclosure

Mozilla shipped a coordinated security update for Firefox, Firefox ESR, and Thunderbird on June 16, 2026, disclosing 25 CVEs in a single advisory — including one critical-rated mitigation bypass in the DOM Security component and several high-severity memory safety bugs that could lead to arbitrary code execution. The batch, which spans graphics, sandboxing, WebAssembly, NSS libraries, and networking, was fixed across Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Critical mitigation bypass in DOM Security

The most severe vulnerability in this batch is CVE-2026-12315 (CVSSv3 9.1), a mitigation bypass in the DOM Security component. The flaw allows an attacker to bypass security protections built into the browser's document object model, potentially enabling further exploitation of other bugs. The fix was shipped in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

Memory safety bugs and code-execution risks

Several high-severity memory safety bugs were patched. CVE-2026-12326 (CVSSv3 7.3) covers memory safety bugs in Firefox 151 and Thunderbird 151 that showed evidence of memory corruption; Mozilla presumes that with enough effort some could have been exploited to run arbitrary code. CVE-2026-12306 and CVE-2026-12301 (both CVSSv3 5.3) are memory safety bugs specifically fixed in Thunderbird 152, and also addressed in Firefox 152, Firefox ESR 140.12, and Thunderbird 140.12.

Boundary-condition flaws across components

Incorrect boundary conditions were found in several components. CVE-2026-12324 (CVSSv3 7.3) affects the Graphics: CanvasWebGL component. CVE-2026-12318 (CVSSv3 7.3) resides in the NSS libraries component. CVE-2026-12330 (CVSSv3 5.4) is an incorrect boundary condition in the Internationalization component, fixed in Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 140.12. CVE-2026-12297 (no CVSS score provided) is a sandbox escape due to incorrect boundary conditions in the Networking component, fixed across all product lines including Firefox ESR 115.37. CVE-2026-12292 (no CVSS score provided) is an incorrect boundary condition in the Web Audio component.

Denial-of-service and JIT miscompilation

CVE-2026-12325 (CVSSv3 6.5) is a denial-of-service vulnerability in the Graphics: ImageLib component, patched in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. CVE-2026-12321 (CVSSv3 5.4) is a JIT miscompilation in the JavaScript: WebAssembly component, fixed in Firefox 152 and Thunderbird 152.

Patch status and affected versions

All 11 CVEs in this batch were fixed in the same coordinated release. Users should update to Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, or Thunderbird 140.12, depending on their product line. Mozilla has not reported active exploitation of any of these vulnerabilities at the time of disclosure Vypr Intelligence.

Why this batch matters

This disclosure event underscores the breadth of attack surface in modern browser and email-client software — from DOM security and sandboxing to graphics, audio, and WebAssembly. The presence of a critical mitigation bypass alongside multiple memory corruption bugs means that even if one layer of defense holds, an attacker chaining these flaws could achieve code execution. Users of Firefox and Thunderbird should prioritize updating to the latest versions to close these gaps.