Skip to main content

Mozilla Firefox CVE-2026-12324

| EUVD-2026-37070 HIGH
Improper Check or Handling of Exceptional Conditions (CWE-703)
2026-06-16 mozilla GHSA-p449-4x9g-97vg
Mozilla Information Disclosure
7.3
CVSS 3.1 · Vendor: mozilla
Share

Severity by source

Vendor (mozilla) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Browser flaw requires victim to load attacker page (UI:R); information-disclosure tag and Low impact metrics support C:L/A:L with no integrity impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (mozilla).

CVSS VectorVendor: mozilla

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Jun 16, 2026 - 17:23 vuln.today
CVSS changed
Jun 16, 2026 - 17:22 NVD
7.3 (HIGH)
CVE Published
Jun 16, 2026 - 11:52 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.

Articles & Coverage 1

News 5 New Mozilla Vulnerabilities - 5 High Severity, No Public POC Jun 16, 2026

AnalysisAI

Memory safety flaw in the CanvasWebGL graphics component of Mozilla Firefox allows remote attackers to trigger incorrect boundary handling through crafted web content, leading to limited confidentiality, integrity, and availability impact. The issue affects Firefox prior to version 152 and Firefox ESR prior to 140.12, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts malicious WebGL page
Delivery
Victim visits page in unpatched Firefox
Exploit
JavaScript invokes CanvasWebGL with boundary inputs
Execution
Component mishandles boundary condition
Impact
Memory disclosure or renderer disruption occurs
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Victim must run an unpatched Firefox (<152) or Firefox ESR (<140.12) build with WebGL enabled (the default configuration) and load attacker-controlled web content in a context where JavaScript and the CanvasWebGL API are permitted. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L yields 7.3 (High) and reflects browser-style remote drive-by exposure: any user visiting a malicious page can be targeted without authentication or interaction prompts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious web page containing crafted JavaScript that invokes WebGL canvas operations with boundary-edge parameters; when a victim navigates to the page in an unpatched Firefox, the CanvasWebGL component mishandles the input and leaks memory contents or destabilizes the renderer process. The attacker could combine this with social engineering (phishing link, malvertising) to broaden reach, and no public exploit identified at time of analysis means active campaigns are not currently documented.
Remediation Vendor-released patch: upgrade to Firefox 152 or Firefox ESR 140.12 (or later) as documented in Mozilla advisories MFSA2026-57, MFSA2026-58, MFSA2026-60, and MFSA2026-61 at https://www.mozilla.org/security/advisories/. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Firefox deployments, particularly ESR instances in production environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49980 CRITICAL
9.8 Jun 16

Unauthenticated remote command execution in rclone's remote control daemon (rcd) affects versions 1.55.0 through 1.74.2

CVE-2026-12304 CRITICAL
9.1 Jun 16

Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152 and Firefox

CVE-2026-12315 CRITICAL
9.1 Jun 16

Security mitigation bypass in the DOM: Security component of Mozilla Firefox allows remote attackers to circumvent brows
CVE-2026-12316 CRITICAL
9.1 Jun 16

Security mitigation bypass in the DOM: Security component of Mozilla Firefox prior to version 152 allows remote attacker
CVE-2026-12289 HIGH
8.8 Jun 16

Privilege escalation in the WebRender graphics component of Mozilla Firefox enables remote attackers to elevate privileg

Share

CVE-2026-12324 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy