CVE-2026-12290

Vulnerability

CVE-2026-12290 is a memory safety bug present in Firefox prior to version 152, Firefox ESR prior to version 140.12, and Firefox ESR prior to version 115.37 [1][2][3]. The specific component and trigger conditions have not been disclosed in the available references, but the bug was reported by jayjayjazz and tracked as Bug 2024852 [1]. It is classified as a memory safety vulnerability with a high impact rating [1][2][3].

Exploitation

Exploitation details are not provided in the available references. As with typical memory safety bugs, an attacker would likely need to craft a web page or content that triggers the vulnerability in the browser's memory handling. No specific preconditions, authentication requirements, or user interaction beyond visiting a malicious page have been published [1][2][3].

Impact

Successful exploitation of this memory safety bug could lead to memory corruption. The exact impact is not detailed, but memory safety bugs in a browser context can often lead to arbitrary code execution or other severe consequences. Mozilla has assessed the impact as high [1][2][3].

Mitigation

This vulnerability is fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37, all released on June 16, 2026 [1][2][3]. Users should upgrade to the patched versions immediately. No workarounds have been published. The affected versions are now end-of-life for security support unless users update.