HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-12289Published Modified CNA mozilla

CVE-2026-12289: Privilege escalation in the Graphics: WebRender component

Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
115.37
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A privilege escalation vulnerability exists in the Graphics: WebRender component of Mozilla Firefox and Thunderbird. The flaw is reachable over the network without any authentication, but requires a victim to take an action (such as visiting a crafted page or opening a malicious message), as indicated by the CVSS vector. Successful exploitation gives an attacker full read, write, and availability impact on the affected system, meaning they can read sensitive data, tamper with it, and disrupt the application. Patched-image rebuilds at Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-12289 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. This matching covers custom-built images that bundle Firefox or Thunderbird alongside any upstream base images.

Available
Triage

HarborGuard is capable of scoring this CVE at 8.8 HIGH using the provided CVSS v3.1 vector and weighting the finding against each environment's compliance policy. Triage routing to the appropriate team inbox within each customer organization is available automatically based on policy configuration.

Available
Patch

A patched-image rebuild at the fix versions (Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12) becomes available in HarborGuard as soon as updated packages are published upstream. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the victim's Firefox or Thunderbird instance over the network, such as by hosting a crafted web page or email content that the victim loads remotely.

  • AuthenticationNot required

    No account or credential is needed; the attacker does not need to authenticate to the target service or application.

  • Victim interactionRequired

    The victim must perform an action, such as visiting a malicious page in Firefox or opening a crafted message in Thunderbird, for the exploit to trigger.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

  • A successful attacker reads confidential data accessible to the Firefox or Thunderbird process, including stored credentials, session tokens, and local profile data.
  • An attacker can modify data within the scope of the affected process, including cached files, user preferences, or data passed between browser components.
  • The attacker can crash or destabilize the affected Firefox or Thunderbird instance, causing a denial of service for the user.
  • Because this is a privilege escalation vulnerability, an attacker may gain elevated capabilities beyond the browser sandbox, depending on the host environment configuration.

How HarborGuard Handles This

Available on HarborGuard: detection runs automatically against all images in connected registries and pipelines, flagging any image that bundles an affected version of Firefox or Thunderbird. Where a customer's compliance policy permits auto-remediation, HarborGuard can trigger a rebuild pinned to the patched versions, run regression tests against the new image, and open a pull request against affected workloads. Median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with fix-version guidance so engineering teams can act manually. Customers who cannot immediately update should consider network-policy controls that restrict which hosts Firefox or Thunderbird instances can reach, reducing the attacker's ability to deliver exploit payloads.

See how HarborGuard automates this

Fix available

115.37140.12152
Affected packages
  • Mozilla / Firefox
    Fixed in 115.37, 140.12, 152
  • Mozilla / Thunderbird
    Fixed in 140.12, 152
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References