Skip to main content

Mozilla Firefox CVE-2026-12328

| EUVD-2026-37074 HIGH
Classic Buffer Overflow (CWE-120)
2026-06-16 mozilla GHSA-gff2-447q-xjx8
RCE Mozilla Buffer Overflow
8.1
CVSS 3.1 · Vendor: mozilla
Share

Severity by source

Vendor (mozilla) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Browser memory-corruption requires victim to load malicious content (UI:R) and Mozilla notes non-trivial effort to weaponize (AC:H); no auth needed and full content-process impact yields C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mozilla).

CVSS VectorVendor: mozilla

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 16, 2026 - 15:36 vuln.today
CVSS changed
Jun 16, 2026 - 15:22 NVD
8.1 (HIGH)
CVE Published
Jun 16, 2026 - 11:53 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.

Articles & Coverage 1

News 5 New Mozilla Vulnerabilities - 5 High Severity, No Public POC Jun 16, 2026

AnalysisAI

Memory corruption vulnerabilities in Mozilla Firefox 151, Firefox ESR 115.36/140.11, and Thunderbird 151/ESR 140.11 allow remote attackers to potentially execute arbitrary code by serving crafted web content that triggers internal memory safety bugs. Mozilla developers observed evidence of memory corruption in several of these bugs and assess that sufficient effort could yield arbitrary code execution in the browser process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to malicious site or email
Delivery
Deliver crafted HTML/JS payload
Exploit
Trigger Gecko memory corruption
Execution
Achieve arbitrary code execution in content process
Impact
Attempt sandbox escape for full host compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to load attacker-controlled web content (or HTML email in Thunderbird) using a vulnerable build - Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, or Thunderbird ESR 140.11 - and Mozilla explicitly notes that converting the observed memory corruption into reliable code execution would take 'enough effort,' which is reflected in CVSS AC:H. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward 'patch promptly but not emergency.' CVSS 8.1 with AV:N/AC:H/PR:N/UI:N/C:H/I:H/A:H reflects remote, unauthenticated, no-user-interaction exploitation but explicitly high attack complexity, consistent with Mozilla's own statement that exploitation would require 'enough effort.' SSVC reports Exploitation:none and Automatable:no, while Technical Impact:total aligns with potential arbitrary code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious web page or sends an HTML email with crafted content that triggers one of the underlying memory-corruption bugs in Gecko's parsing or JavaScript engine when rendered by a vulnerable Firefox or Thunderbird build. Successful exploitation could allow arbitrary code execution within the content process, which an attacker would then need to combine with a sandbox escape for full system compromise; no public PoC was identified at time of analysis.
Remediation Vendor-released patch: upgrade to Firefox 152, Firefox ESR 140.12, or Firefox ESR 115.37; Thunderbird users should update to the corresponding fixed Thunderbird release aligned with ESR 140.12. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all Firefox 151, Firefox ESR 115.36/140.11, Thunderbird 151, and Thunderbird ESR 140.11 deployments in your environment; 7 days: Enable compensating controls including web content filtering, JavaScript restriction in non-essential contexts, and enforcement of browser sandboxing; 30 days: Monitor Mozilla security advisories for patch releases and establish expedited patching procedures for when Firefox 152+ and Thunderbird 152+ patches become available.

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49980 CRITICAL
9.8 Jun 16

Unauthenticated remote command execution in rclone's remote control daemon (rcd) affects versions 1.55.0 through 1.74.2

CVE-2026-12304 CRITICAL
9.1 Jun 16

Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 152 and Firefox

CVE-2026-12315 CRITICAL
9.1 Jun 16

Security mitigation bypass in the DOM: Security component of Mozilla Firefox allows remote attackers to circumvent brows
CVE-2026-12316 CRITICAL
9.1 Jun 16

Security mitigation bypass in the DOM: Security component of Mozilla Firefox prior to version 152 allows remote attacker
CVE-2026-12289 HIGH
8.8 Jun 16

Privilege escalation in the WebRender graphics component of Mozilla Firefox enables remote attackers to elevate privileg

Share

CVE-2026-12328 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy