CVE-2026-12291

Vulnerability

A use-after-free vulnerability exists in the Networking: HTTP component of Firefox. This memory safety bug can be triggered under specific conditions when handling HTTP connections. The vulnerability affects Firefox versions prior to 152, Firefox ESR versions prior to 140.12, and Firefox ESR versions prior to 115.37 [1][2][3].

Exploitation

An attacker would need to craft a malicious HTTP request or response to trigger the use-after-free condition. The exact proof-of-concept for triggering the vulnerability is not publicly detailed, but the bug was reported with a high impact rating by researcher Zijie Zhao. Network-based attacks may be feasible, but no proof-of-concept is disclosed in the advisory [1].

Impact

Successful exploitation of this use-after-free could allow an attacker to achieve arbitrary code execution in the context of the browser process. The impact is rated as high by Mozilla, with potential for memory corruption leading to arbitrary code execution. This could lead to full compromise of the affected system [1].

Mitigation

The vulnerability is fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37, released on June 16, 2026. Users and administrators should update to the latest versions as soon as possible. No workarounds are available; applying the patched versions is the recommended mitigation [1][2][3].