HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12315Published Modified CNA mozilla

CVE-2026-12315: Mitigation bypass in the DOM: Security component

Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
140.12
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A mitigation bypass in the DOM Security component of Mozilla Firefox and Thunderbird allows a remote attacker to reach the vulnerability over the network without any authentication or user interaction. The flaw stems from an incomplete security control in the browser's DOM layer, which an attacker can exploit to circumvent existing protections. Successful exploitation grants the attacker the ability to read sensitive data and modify content or state within the affected application. Patched-image rebuilds at Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-12315 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of ingestion from upstream advisory feeds. Coverage extends to custom-built images that bundle Firefox or Thunderbird alongside any other distribution-packaged variants.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.1 (Critical) and weighting the result against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available automatically based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12 becomes available on HarborGuard as soon as the fix versions are resolvable in the relevant package feeds. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the affected application over the network; no local or physical access is required.

  • AuthenticationNot required

    No account or credentials are needed to trigger the vulnerability.

  • Victim interactionNot required

    The attacker does not need the victim to click a link, open a file, or take any other action.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions or specific memory layout are required.

Blast Radius

  • A successful attacker reads sensitive data accessible to the browser or mail client, including stored session tokens, cookies, and rendered page content.
  • A successful attacker modifies DOM state or content within the affected application, enabling content spoofing or tampering with data presented to the user.
  • Containers or images bundling Firefox or Thunderbird expose any secrets or credentials those applications handle at runtime to exfiltration.
  • Because scope is unchanged (S:U), impact is contained to the affected application process rather than the broader host, but that process may itself hold high-value data.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-12315 is active across all customer environments the moment the advisory is ingested, with image matching covering both registry-hosted and pipeline-built images that include Firefox or Thunderbird. For environments where compliance policy permits auto-remediation, HarborGuard rebuilds affected images at the patched versions (Firefox 152, Firefox ESR 140.12, Thunderbird 152, Thunderbird 140.12), executes a regression run against the rebuilt image, and opens a pull request against affected workloads. For Critical-severity issues, the median time from CVE publication to merged patch PR for environments with auto-remediation enabled is around 90 minutes. Customers who manage remediation manually will find the rebuilt image available in their HarborGuard registry view alongside a triage report showing affected image layers, CVSS scoring, and policy-weighted priority. Because this is a network-reachable, no-auth, no-interaction vulnerability rated 9.1, teams are advised to treat it as a high-urgency rebuild regardless of auto-remediation preference.

See how HarborGuard automates this

Fix available

140.12152
Affected packages
  • Mozilla / Firefox
    Fixed in 140.12, 152
  • Mozilla / Thunderbird
    Fixed in 140.12, 152
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References