CVE-2026-12290: Memory safety bug fixed in Thunderbird 152
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- 115.37
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A memory safety bug affects Mozilla Firefox and Thunderbird across all versions prior to the fixed releases. The vulnerability is reachable over the network without any authentication, but requires the victim to interact with attacker-controlled content (for example, visiting a malicious page or opening a crafted message). Successful exploitation gives an attacker the ability to read sensitive data and modify application state. Patched-image rebuilds at versions Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12 are available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream Mozilla and NVD feeds, covering both vendor-supplied and custom-built images in connected registries and CI pipelines.
AvailableHarborGuard scores this CVE at CVSS 8.1 (HIGH) and can apply per-environment compliance policy weighting to escalate or suppress severity before routing findings to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild at Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, or Thunderbird 140.12 becomes available on HarborGuard once an affected image is identified. For customers who opt into auto-remediation, HarborGuard runs a rebuilt image through a regression test suite and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim's application over the network, meaning the service or client must be exposed to attacker-reachable network traffic.
- AuthenticationNot required
No credentials or account are needed; the attacker can target any user without prior access.
- Victim interactionRequired
The victim must take an action such as opening a crafted email message or navigating to a malicious URL for the exploit to trigger.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental configuration.
Blast Radius
- A successful attacker reads sensitive application data, which in Thunderbird may include stored email content, contacts, or session credentials.
- A successful attacker modifies application state or in-memory data, potentially altering message display or injecting content into the running process.
- Confidentiality and integrity of the affected Mozilla application process are fully compromised; availability is not directly affected by this vulnerability.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any image containing an affected version of Firefox or Thunderbird, including custom-built container images that bundle either application. Where compliance policy permits, HarborGuard can trigger a patched-image rebuild pinned to a fixed release (Firefox 152, ESR 140.12, ESR 115.37, Thunderbird 152, or Thunderbird 140.12), run a regression test suite against the rebuilt image, and open a PR against affected workloads. For environments with auto-remediation enabled, the median time from CVE publication to a merged patch PR for HIGH-severity issues is around 90 minutes. Customers who have not enabled auto-remediation will see the finding surfaced in their HarborGuard dashboard with fix-version details and affected image paths for manual action.
Fix available
- Mozilla / FirefoxFixed in 115.37, 140.12, 152
- Mozilla / ThunderbirdFixed in 140.12, 152
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N