CVE-2026-12329

Vulnerability

A memory safety bug existed in Firefox ESR prior to version 140.12. The specific component is not disclosed, but the advisory from Mozilla [1] indicates this vulnerability affects all versions before the fix. This bug falls under the category of memory safety issues, which are common in Firefox and often lead to exploitable conditions.

Exploitation

An attacker could exploit this vulnerability by convincing a user to visit a malicious webpage or open a crafted email message. The attack requires no special user privileges beyond normal browsing. Given the high severity rating, exploitation likely involves corrupting memory through crafted content, though the exact trigger is not publicly detailed.

Impact

Successful exploitation could allow an attacker to execute arbitrary code within the context of the Firefox process, potentially leading to full compromise of the browser. This could result in data theft, further attacks on the system, or privilege escalation if the browser runs with elevated privileges. The impact is rated high by Mozilla.

Mitigation

The vulnerability is fixed in Firefox ESR 140.12, released on June 16, 2026 [1]. Users should update their browser to the latest version. No workarounds are available if the patch is not applied. The CVE is not listed on the CISA Known Exploited Vulnerabilities catalog.