CVE-2026-12293

Vulnerability

A use-after-free vulnerability exists in the Graphics: WebGPU component of Firefox. This memory safety bug was identified in Firefox versions prior to 152 and is reported via Bug 2039568 [1]. The exact code path and conditions required to trigger the use-after-free have not been publicly detailed, but it affects the WebGPU API implementation.

Exploitation

An attacker would need to craft a web page or content that triggers the use-after-free condition in the WebGPU code path. The vulnerability can be exploited without any user interaction beyond visiting the malicious page, as WebGPU can be accessed from JavaScript. The specific sequence of steps to trigger the bug is not disclosed in the available references.

Impact

Successful exploitation could lead to memory corruption, potentially allowing an attacker to achieve arbitrary code execution within the Firefox sandbox. The Mozilla advisory rates the impact as high [1]. The exact privilege level or scope of compromise beyond code execution is not specified.

Mitigation

The vulnerability is fixed in Firefox 152, released on June 16, 2026 [1]. Users should update to Firefox 152 or later. No workarounds are available for older versions. The CVE is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date.