CVE-2026-12310: Memory safety bug fixed in Thunderbird 152
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 140.12
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A memory safety bug affects Mozilla Firefox and Thunderbird across all versions prior to the fixed releases. The vulnerability is reachable over the network without any authentication or user interaction, based on its CVSS vector (AV:N/PR:N/UI:N). Successful exploitation gives an attacker the ability to read confidential data from the affected process, such as stored credentials, session tokens, or message content. Patched-image rebuilds at versions 140.12 and 152 are available on HarborGuard for environments running affected versions.
HarborGuard Coverage
Detection for CVE-2026-12310 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. This matching covers custom-built images that bundle Firefox or Thunderbird, not only official base images.
AvailableHarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within the customer org based on configured ownership rules.
AvailableA patched-image rebuild at Firefox ESR 140.12 / Firefox 152 and Thunderbird ESR 140.12 / Thunderbird 152 becomes available in HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected Firefox or Thunderbird instance over the network; no local access or physical proximity is needed.
- AuthenticationNot required
No account credentials or session tokens are needed; an unauthenticated remote party can trigger the vulnerability.
- Victim interactionNot required
The exploit does not require the user to click a link, open a file, or take any other action.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout dependencies, or environmental prerequisites.
Blast Radius
- A successful attacker reads data from the memory space of the affected Firefox or Thunderbird process, which may include stored credentials, OAuth tokens, or cached email content.
- Confidentiality impact is rated High; integrity and availability are unaffected, so the attacker gains read access but cannot modify data or crash the service through this vector alone.
- In a containerized deployment where Firefox or Thunderbird is bundled into an image, a memory disclosure could expose environment variables or secrets mounted into that container.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-12310 is active across customer image registries and build pipelines, covering any image that includes an affected version of Firefox or Thunderbird. Where compliance policy permits, HarborGuard can trigger a patched-image rebuild pinned to Firefox 152 / ESR 140.12 or Thunderbird 152 / ESR 140.12. For customers who opt into auto-remediation, the rebuild is followed by an automated regression run and a pull request opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Customers who manage their own remediation cadence can review the flagged images in the HarborGuard dashboard and apply the fix version on their own schedule.
Fix available
- Mozilla / FirefoxFixed in 140.12, 152
- Mozilla / ThunderbirdFixed in 140.12, 152
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N