CVE-2026-12316: Mitigation bypass in the DOM: Security component
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- 152
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A mitigation bypass vulnerability exists in the DOM Security component of Mozilla Firefox and Thunderbird. The flaw is reachable over the network with no authentication required and no user interaction needed, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation gives an attacker high-confidence read access to sensitive data and the ability to tamper with content or data in the affected context. A patched-image rebuild at version 152 is available on HarborGuard for environments running affected versions of Firefox or Thunderbird.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream Mozilla and NVD feeds within minutes of publication and matched against customer images, including custom-built images that bundle Firefox or Thunderbird. Any image in a customer registry or CI pipeline that contains an affected version is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 9.1 (Critical) and surfaces it accordingly in each customer environment, weighted against that environment's compliance policy to determine urgency tier. Triage notifications are routed to the inbox or ticketing integration configured for each customer org.
AvailableA patched-image rebuild at Firefox and Thunderbird version 152 becomes available on HarborGuard as soon as the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected service over the network; no local access or physical proximity is required.
- AuthenticationNot required
No account or credentials of any privilege level are needed to attempt exploitation.
- Victim interactionNot required
The exploit does not rely on a user clicking a link, opening a file, or taking any other action.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors need to align.
Blast Radius
- A successful attacker reads sensitive data accessible within the DOM Security context, such as session tokens, page content, or stored credentials exposed through the bypassed mitigation.
- A successful attacker modifies DOM content or data in ways the bypassed security controls were designed to prevent, enabling content injection or cross-origin data manipulation.
- Availability is not impacted by this vulnerability; the affected service continues running after exploitation.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-12316 is active against all customer registries and pipelines, matching any image that bundles Firefox or Thunderbird below version 152. Given the Critical CVSS score (9.1) and the zero-barrier exploit conditions (no auth, no interaction, network-reachable), this CVE is automatically elevated to the highest urgency tier under most compliance policy configurations. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at version 152, runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image is staged and the PR is held open for reviewer sign-off.
Fix available
- Mozilla / FirefoxFixed in 152
- Mozilla / ThunderbirdFixed in 152
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N