HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-12314Published Modified CNA mozilla

CVE-2026-12314: Memory safety bug fixed in Thunderbird 152

Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
140.12
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A memory safety bug in Mozilla Thunderbird and Firefox allows a remote attacker to read sensitive data without any authentication or user interaction. The vulnerability is reachable over the network and requires no privileges, derived from the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation gives the attacker read access to confidential information from the affected process. Patched-image rebuilds at versions 140.12 and 152 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Firefox or Thunderbird.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights findings against each environment's compliance policy, routing alerts to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at fix versions 140.12 and 152 becomes available on HarborGuard once the upstream release is confirmed. For customers who opt into auto-remediation, the platform performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the affected service over the network; no local access or physical proximity is needed.

  • AuthenticationNot required

    No account or credentials are needed to exploit this vulnerability.

  • Victim interactionNot required

    The attacker does not need to trick or involve any user to trigger the vulnerability.

  • Attack complexityDetail

    The exploit is reliable and condition-free, with no race conditions or special environmental factors required.

Blast Radius

  • A successful attacker reads confidential data from the memory space of the affected Thunderbird or Firefox process, which may include cached message content, session tokens, or credentials.
  • Integrity and availability of the affected process are not impacted; the attacker gains read-only access.

How HarborGuard Handles This

Available on HarborGuard: images containing affected versions of Thunderbird or Firefox are flagged immediately upon CVE ingestion. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the patched version (140.12 or 152), runs a regression test, and opens a PR against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For teams that manage patching manually, the finding appears in the vulnerability dashboard with fix-version details and a direct link to the upstream Mozilla advisory.

See how HarborGuard automates this

Fix available

140.12152
Affected packages
  • Mozilla / Firefox
    Fixed in 140.12, 152
  • Mozilla / Thunderbird
    Fixed in 140.12, 152
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References