VYPR
Vypr IntelligenceAI-generatedJun 16, 2026· 25 CVEs

Mozilla Patches 25 CVEs in Firefox and Thunderbird, Including Two Critical DOM Security Bypasses

Mozilla disclosed 25 CVEs in a single June 16 advisory for Firefox, Firefox ESR, and Thunderbird, including two critical DOM Security bypasses and eight high-severity memory safety bugs.

Key findings

  • Two critical-rated DOM Security mitigation bypasses (CVE-2026-12316, CVE-2026-12315) rated CVSSv3 9.1
  • Eight high-severity memory safety bugs, including one rated 8.1 (CVE-2026-12328)
  • 25 CVEs disclosed in a single coordinated advisory on June 16, 2026
  • Bugs span graphics, sandboxing, password manager, WebAssembly, and NSS libraries
  • Fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12
  • No evidence of active exploitation reported at time of disclosure

Mozilla released a massive security update for Firefox, Firefox ESR, and Thunderbird on June 16, 2026, disclosing 25 CVEs in a single coordinated advisory. The batch includes two critical-rated mitigation bypasses in the DOM Security component, eight high-severity memory safety bugs, and a wide range of medium-severity issues spanning graphics, password management, sandboxing, and WebAssembly — making it one of the largest single-day patch drops from the vendor this year.

Critical mitigation bypasses in DOM Security

Two CVEs stand out at the top of the severity scale. CVE-2026-12316 and CVE-2026-12315 are both rated Critical (CVSSv3 9.1) and described as mitigation bypasses in the DOM: Security component. These flaws allow an attacker to bypass browser security mechanisms, potentially enabling code execution or privilege escalation. CVE-2026-12315 affects Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12, while CVE-2026-12316 is fixed in Firefox 152 and Thunderbird 152.

Memory safety bugs dominate the batch

Eight high-severity memory safety bugs form the core of the disclosure. CVE-2026-12328 (CVSSv3 8.1) is the highest-rated among them, affecting Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151, and Thunderbird 151 — Mozilla notes that some of these bugs showed evidence of memory corruption and could be exploited to run arbitrary code. CVE-2026-12327 (CVSSv3 7.3) follows the same pattern. Additional high-severity memory safety bugs include CVE-2026-12317, CVE-2026-12314, CVE-2026-12312, CVE-2026-12310, CVE-2026-12305 (all CVSSv3 7.5), and CVE-2026-12325 (CVSSv3 6.5). Several of these are explicitly noted as "memory safety bug fixed in Thunderbird 152," indicating they were discovered through Thunderbird-specific testing.

Graphics, sandboxing, and boundary condition flaws

Beyond memory safety, the advisory addresses a range of component-specific vulnerabilities. CVE-2026-12324 (High, CVSSv3 7.3) is an incorrect boundary condition in the Graphics: CanvasWebGL component, while CVE-2026-12325 (Medium, CVSSv3 6.5) is a denial-of-service in Graphics: ImageLib. CVE-2026-12318 (High, CVSSv3 7.3) involves incorrect boundary conditions in the NSS libraries. Two medium-severity information-disclosure and sandbox-escape bugs — CVE-2026-12313 and CVE-2026-12311 (both CVSSv3 4.7) — affect the Security: Process Sandboxing component. CVE-2026-12330 (Medium, CVSSv3 5.4) is an incorrect boundary condition in the Internationalization component.

Spoofing, clickjacking, and JIT miscompilation

Several medium-severity bugs target user interface and scripting engine components. CVE-2026-12323 (CVSSv3 5.4) is a spoofing issue in DOM: Core & HTML. CVE-2026-12322 (CVSSv3 5.4) is a clickjacking issue in the Widget: Gtk component. CVE-2026-12321 (CVSSv3 5.4) is a JIT miscompilation in the JavaScript: WebAssembly component. CVE-2026-12320 (CVSSv3 4.3) is an information disclosure in the Password Manager component. CVE-2026-12319 (CVSSv3 6.5) is a denial-of-service in the Audio/Video: Playback component.

Patch status and affected versions

All 25 CVEs are addressed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12, depending on the specific CVE. Users on Firefox 151, Firefox ESR 140.11, Firefox ESR 115.36, Thunderbird 151, and Thunderbird ESR 140.11 are urged to update immediately. Mozilla's advisory provides no indication of active exploitation in the wild at the time of disclosure.

What this means for users

This batch underscores the breadth of attack surface in modern browsers — from memory corruption in the rendering engine to logic flaws in password management and sandboxing. The two critical-rated DOM Security bypasses are particularly noteworthy, as they could undermine the browser's core security model. Organizations running Firefox ESR or Thunderbird ESR should prioritize patching, especially given that several memory safety bugs affect the older ESR 115 branch.

AI-written article. Grounded in 25 CVE records listed below.