CVE-2026-12328

Vulnerability

Multiple memory safety bugs were present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151, and Thunderbird 151. The description indicates evidence of memory corruption, and with sufficient effort, these could have been exploited to run arbitrary code. The specific bugs are listed in the Mozilla Foundation Security Advisories [1][2][3] and include use-after-free, incorrect boundary conditions, sandbox escapes, and other memory corruption issues.

Exploitation

An attacker would need to craft inputs that trigger the memory safety flaws. The vulnerabilities are reachable without special user interaction beyond normal browsing or email reading (e.g., rendering a malicious web page, processing a crafted email). The exact steps vary per bug but generally involve delivering a payload via a web page or email content that causes memory corruption.

Impact

Successful exploitation could allow an attacker to achieve arbitrary code execution in the context of the affected application. The impact is rated high by Mozilla, with potential for full system compromise depending on the specific vulnerability and the privileges of the Firefox or Thunderbird process.

Mitigation

Mozilla fixed these issues in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37, all released on June 16, 2026 [1][2][3]. Users should update to the latest versions. No workarounds are provided; updating is the only mitigation.