Skip to main content

Mozilla Firefox EUVDEUVD-2026-37071

| CVE-2026-12325 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-16 mozilla GHSA-w26x-6wxp-828q
Medium
Disputed · 6.5 Vendor: mozilla
Share

Severity by source

Sources disagree (Low–Critical)
Vendor (mozilla) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network-delivered browser DoS requires only user browsing; no attacker privileges needed; UI:R mandatory; availability-only impact with no scope change.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
CRITICAL
qualitative
Red Hat
3.4 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: mozilla

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 16, 2026 - 15:49 vuln.today
CVSS changed
Jun 16, 2026 - 15:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 16, 2026 - 11:52 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.

AnalysisAI

Uncontrolled resource consumption in Mozilla Firefox's Graphics: ImageLib component allows remote attackers to crash or hang the browser by serving specially crafted image content to an unsuspecting user. All Firefox release-channel versions prior to 152 and both ESR tracks (prior to 140.12 and 115.37) are affected, exposing a broad install base across consumer and enterprise environments. No public exploit has been identified, SSVC rates exploitation as none with a non-automatable attack path, and KEV listing is absent - signals that collectively place this vulnerability at lower real-world priority despite a CVSS 6.5 score.

Technical ContextAI

The vulnerability resides in Firefox's Graphics: ImageLib subsystem, Mozilla's internal image decoding and processing library responsible for handling raster formats such as JPEG, PNG, WebP, and AVIF within the browser rendering pipeline. CWE-400 (Uncontrolled Resource Consumption) identifies the root cause class: a crafted image likely triggers an unbounded decode loop, excessive heap allocation, or a recursive processing path, causing the browser process to exhaust available CPU or memory until it becomes unresponsive. CPE data (cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*) confirms the flaw spans all Firefox versions across platforms without version-range restriction, indicating it was not introduced in a recent release. Three concurrent Mozilla Security Advisories (mfsa2026-57, mfsa2026-58, mfsa2026-59) cover the release, ESR 140, and ESR 115 channels respectively, reflecting Mozilla's standard coordinated multi-track patching practice.

RemediationAI

Upgrade to Firefox 152 or later for users on the standard release channel; Firefox ESR 140.12 or later for enterprise deployments on the ESR 140 track; or Firefox ESR 115.37 or later for organizations still on the legacy ESR 115 track. These are vendor-released patches confirmed by Mozilla security advisories mfsa2026-57, mfsa2026-58, and mfsa2026-59 at https://www.mozilla.org/security/advisories/. If immediate patching is constrained by change-management processes, deploying a web content filtering proxy to block delivery of anomalously large or structurally malformed image files reduces exposure, though this provides imperfect coverage against sophisticated attacker-controlled content. Enforcing browser isolation (e.g., Remote Browser Isolation solutions) in high-risk user populations eliminates the attack surface entirely at the trade-off of infrastructure cost and potential latency. Restricting user browsing to approved-site allowlists via DNS or proxy policy is a practical compensating control for regulated environments, with the trade-off of reduced browsing flexibility.

CVE-2015-4495 HIGH POC
8.8 Aug 08

The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote

CVE-2013-1690 HIGH POC
8.8 Jun 26

Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before

CVE-2013-0758 CRITICAL POC
9.3 Jan 13

Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb

CVE-2013-0753 CRITICAL POC
9.3 Jan 13

Use-after-free vulnerability in the serializeToStream implementation in the XMLSerializer component in Mozilla Firefox b

CVE-2012-3993 CRITICAL POC
9.3 Oct 10

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi

CVE-2013-1710 CRITICAL POC
10.0 Aug 07

The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird befo

CVE-2017-3823 HIGH POC
8.8 Feb 01

An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta

CVE-2014-8636 HIGH POC
7.5 Jan 14

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with

CVE-2013-0757 CRITICAL POC
9.3 Jan 13

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi

CVE-2014-1510 CRITICAL POC
9.8 Mar 19

The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se

CVE-2014-1511 CRITICAL POC
9.8 Mar 19

Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remo

CVE-2013-0643 HIGH
8.8 Feb 27

The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and b

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

EUVD-2026-37071 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy