HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-12317Published Modified CNA mozilla

CVE-2026-12317: Memory safety bug fixed in Thunderbird 152

Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
152
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A memory safety bug in Mozilla Thunderbird (and Firefox) allows a remote, unauthenticated attacker to trigger a crash by sending specially crafted network data, requiring no user interaction. Successful exploitation causes a denial of service by crashing the affected application. A patched-image rebuild at version 152 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection for CVE-2026-12317 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Firefox or Thunderbird. Coverage applies to both registry scans and active CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer organization based on configured policy rules.

Available
Patch

A patched-image rebuild at Thunderbird and Firefox version 152 becomes available through HarborGuard once an image including the fixed upstream packages is resolvable. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test pass, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the affected service over the network; no local access or physical proximity is required.

  • AuthenticationNot required

    No credentials or prior account access are needed to trigger the vulnerability.

  • Victim interactionNot required

    The attacker does not need the user to click, open, or interact with anything; exploitation is fully remote and passive.

  • Attack complexityDetail

    Exploitation is reliable and condition-free, with no race conditions or environmental factors required to land the attack.

Blast Radius

  • Crashes the Thunderbird or Firefox process entirely, making the application unavailable until restarted.
  • Any in-progress work such as unsent email drafts or active browsing sessions is lost at the moment of crash.
  • Repeated exploitation can prevent users from accessing the application at all, effectively blocking email and browser workflows.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12317 is active across all scanned registries and pipelines, matching images that include affected versions of Thunderbird or Firefox. Where compliance policy permits auto-remediation, HarborGuard will rebuild the image at the patched version 152, execute a regression test run, and open a PR against affected workloads. For high-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who manage remediation manually will see the finding routed to their configured inbox with CVSS scoring and policy context attached.

See how HarborGuard automates this

Fix available

152
Affected packages
  • Mozilla / Firefox
    Fixed in 152
  • Mozilla / Thunderbird
    Fixed in 152
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References