CVE-2026-12312: Memory safety bug fixed in Thunderbird 152
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 140.12
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A memory safety bug affects Mozilla Firefox and Thunderbird across all versions prior to the fix releases. The vulnerability is reachable over the network without any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation gives an attacker read access to sensitive data from the affected process. Patched-image rebuilds at versions 140.12 and 152 are available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Firefox or Thunderbird binaries. Any image containing an affected version is flagged automatically in both registry scans and pipeline checks.
AvailableHarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector, and that score is available as an input to each customer's compliance policy weighting to determine urgency and routing. Triage findings are routed to the appropriate team inbox within each customer organization based on their configured policy rules.
AvailableA patched-image rebuild targeting Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the service over the network; no local access or physical proximity is needed.
- AuthenticationNot required
No credentials or account of any privilege level are needed to attempt exploitation.
- Victim interactionNot required
The attacker does not need to trick or involve any user to trigger the vulnerability.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors are required.
Blast Radius
- A successful attacker reads data from the memory space of the affected Firefox or Thunderbird process, which may include cached credentials, session tokens, or message content.
- Confidentiality is fully compromised at the process level; integrity and availability are not affected by this vulnerability.
- Container images embedding affected Firefox or Thunderbird binaries expose any data those processes hold in memory to remote extraction.
How HarborGuard Handles This
Available on HarborGuard: detection is matched against customer images within minutes of CVE publication, covering both official distribution packages and custom images that bundle Firefox or Thunderbird. Where compliance policy permits, the patched rebuild at versions 140.12 or 152 is made available immediately; for customers with auto-remediation enabled, HarborGuard initiates a rebuild, runs a regression test pass, and opens a PR against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues in auto-remediation-enabled environments. Customers who manage remediation manually can act on the flagged finding directly from the triage dashboard using the fix version references provided.
Fix available
- Mozilla / FirefoxFixed in 140.12, 152
- Mozilla / ThunderbirdFixed in 140.12, 152
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N