How is CVE-2026-12293 exploited?

Network reachability (required): The vulnerable component is exposed over the network, meaning an attacker can reach it by serving a malicious web page or HTML email without requiring any local access to the host. Authentication (not-required): No account or credentials are needed; any unauthenticated party who can get the browser or mail client to load attacker-controlled content can trigger the vulnerability. Victim interaction (not-required): No user action beyond normal browsing or opening a message is required, as the attack does not depend on the victim clicking a specific element or approving a prompt. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions, race windows, or memory-layout requirements on the attacker.

What is the impact of CVE-2026-12293?

An attacker achieves arbitrary code execution inside the Firefox or Thunderbird process, giving full control over that process's execution context. All data accessible to the browser or mail client, including stored credentials, session tokens, cookies, and locally cached files, can be read. An attacker can write or modify data within the process, including in-memory state that governs application behavior. The affected application process can be crashed on demand, causing a denial of service for the end user.

Back to search

CRITICALCVE-2026-12293Published 2026-06-16Modified 2026-06-18CNA mozilla

CVE-2026-12293: Use-after-free in the Graphics: WebGPU component

Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 152
Affected Products: 2

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the WebGPU graphics component of Mozilla Firefox and Thunderbird. The flaw is reachable over the network with no authentication required, meaning a malicious web page or email can trigger it without any special access. Successful exploitation gives an attacker full control over the affected process, enabling arbitrary code execution, data theft, and application crashes. A patched-image rebuild at version 152 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-12293 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Firefox or Thunderbird.

Available

Triage

Triage is available using the CVSS v3.1 base score of 9.8 (Critical), weighted against each customer organization's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer environment based on configured escalation rules.

Available

Patch

A patched-image rebuild at Firefox and Thunderbird version 152 becomes available on HarborGuard for any environment with an affected image. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable component is exposed over the network, meaning an attacker can reach it by serving a malicious web page or HTML email without requiring any local access to the host.
AuthenticationNot required
No account or credentials are needed; any unauthenticated party who can get the browser or mail client to load attacker-controlled content can trigger the vulnerability.
Victim interactionNot required
No user action beyond normal browsing or opening a message is required, as the attack does not depend on the victim clicking a specific element or approving a prompt.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special environmental conditions, race windows, or memory-layout requirements on the attacker.

Blast Radius

An attacker achieves arbitrary code execution inside the Firefox or Thunderbird process, giving full control over that process's execution context.
All data accessible to the browser or mail client, including stored credentials, session tokens, cookies, and locally cached files, can be read.
An attacker can write or modify data within the process, including in-memory state that governs application behavior.
The affected application process can be crashed on demand, causing a denial of service for the end user.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12293 is active across all scanning pipelines and will flag any image that bundles an affected version of Firefox or Thunderbird. For environments where a fix is available at version 152, a patched-image rebuild is made available immediately upon the fix being confirmed in the upstream feed. For customers with auto-remediation enabled, HarborGuard performs the image rebuild, executes regression testing, and opens a pull request against affected workloads; for high and critical severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in those environments. Where compliance policy requires manual approval, the finding is surfaced with full CVSS context and policy weight so reviewers can act quickly. Customers who have not yet upgraded should consider restricting container egress and applying network policy controls to limit exposure while the patched image is validated and promoted.

See how HarborGuard automates this

Fix available

152

Affected packages

Mozilla / Firefox
Fixed in 152
Mozilla / Thunderbird
Fixed in 152

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available