CVE-2026-12318: Incorrect boundary conditions in the Libraries component in NSS
Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Metrics
- CVSS v3.1
- 7.3
- Severity
- HIGH
- Fixed in
- 152
- Affected Products
- 2
HarborGuard Analysis
Synopsis
An incorrect boundary condition vulnerability exists in the Network Security Services (NSS) Libraries component used by Mozilla Firefox and Mozilla Thunderbird. The flaw is reachable over the network without any authentication or user interaction, making it exploitable by any remote attacker who can reach an affected service. Successful exploitation gives an attacker limited read access, limited write access, and can partially disrupt service availability. A patched-image rebuild at Firefox and Thunderbird version 152 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-12318 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Firefox or Thunderbird binaries. Any image in a customer registry or CI/CD pipeline carrying an affected version is flagged automatically.
AvailableHarborGuard scores this CVE at 7.3 HIGH using the CVSS v3.1 vector and weights the finding against each environment's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at version 152 becomes available on HarborGuard for any image found to carry an affected release of Firefox or Thunderbird. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected service over the network; no local or physical access is needed.
- AuthenticationNot required
No credentials or account of any kind are needed to attempt exploitation.
- Victim interactionNot required
The attacker does not need the victim to click a link, open a file, or take any other action.
- Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or environmental dependencies required.
Blast Radius
- A successful attacker reads a limited subset of data processed by NSS, which may include cryptographic material or connection metadata.
- A successful attacker writes or tampers with a limited subset of data handled by the NSS library, potentially influencing TLS session state or certificate processing.
- A successful attacker partially disrupts the availability of the affected application, degrading or interrupting its normal operation.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-12318 is active for all scanned images carrying Firefox or Thunderbird versions prior to 152, with matching running continuously as new images are pushed or built. Where compliance policy permits, a patched-image rebuild at version 152 is queued automatically. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually can retrieve the flagged findings from the HarborGuard dashboard and proceed with their own upgrade workflow.
Fix available
- Mozilla / FirefoxFixed in 152
- Mozilla / ThunderbirdFixed in 152
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L