CVE-2026-12305: Memory safety bug fixed in Thunderbird 152
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 140.12
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A memory safety bug in Mozilla Firefox and Thunderbird exposes affected systems to remote exploitation over the network, requiring no authentication or user interaction. An attacker who reaches the vulnerable service can trigger memory corruption that causes the application to crash. Successful exploitation results in a denial of service, taking down the affected browser or mail client. Patched-image rebuilds at versions 140.12 and 152 are available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream Mozilla and NVD feeds within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle Firefox or Thunderbird. Coverage extends to any image layer where an affected version of either product is present.
AvailableHarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and can weight that score against each customer environment's compliance policy to surface priority routing. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at fix versions 140.12 or 152 is available on HarborGuard for any environment running an affected version of Firefox or Thunderbird. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test pass, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerability is reachable over the network, meaning an attacker must be able to send requests or content to the affected application from a remote location.
- AuthenticationNot required
No authentication is required; an unauthenticated attacker can trigger the memory safety bug without holding any account or session credential.
- Victim interactionNot required
No victim interaction is needed; the attacker does not rely on a user clicking a link or opening a file to trigger exploitation.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special conditions, race windows, or environmental prerequisites on the attacker.
Blast Radius
- Crashes the Firefox or Thunderbird process, making the browser or mail client unavailable until restarted.
- Sustained or repeated triggering can keep the application in a crash loop, preventing users from accessing email or web content.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-12305 is active across the platform and matches any image containing an affected version of Firefox or Thunderbird. For environments running a vulnerable version, a patched-image rebuild at versions 140.12 or 152 is available. For customers who opt into auto-remediation, the rebuild is followed by a regression test run and a PR opened against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who manage remediation manually can pull the rebuilt image directly from their HarborGuard-managed registry once the fix version is confirmed present.
Fix available
- Mozilla / FirefoxFixed in 140.12, 152
- Mozilla / ThunderbirdFixed in 140.12, 152
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H