CVE-2026-12330

Vulnerability

Incorrect boundary conditions exist in the Internationalization component of Firefox ESR, affecting versions prior to 140.12 and ESR 115.37. The vulnerability, reported by the Mozilla Fuzzing Team, arises from improper handling of boundary checks during string or locale processing, potentially allowing memory corruption. The affected products are Firefox ESR 140.x before 140.12 and Firefox ESR 115.x before 115.37 [1][2].

Exploitation

An attacker would need to craft a malicious input or web page that triggers the boundary condition flaw within the Internationalization component. No special network position or authentication is required beyond the ability to serve content to a victim. The vulnerability can be exploited without user interaction beyond normal browsing, as the defect is reachable through standard locale or string handling routines [1][2].

Impact

If successfully exploited, the incorrect boundary conditions could lead to memory corruption, potentially allowing an attacker to execute arbitrary code or cause a denial of service. The vulnerability is rated as Moderate impact by Mozilla, indicating limited direct exploitability or preconditions for code execution [1][2]. The full scope of compromise is not detailed in the available references.

Mitigation

Mozilla has fixed this vulnerability in Firefox ESR 140.12 and ESR 115.37, both released on June 16, 2026 [1][2]. Users should update to these versions or later. No workarounds are provided. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.