CVE-2026-12324: Incorrect boundary conditions in the Graphics: CanvasWebGL component
Incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Metrics
- CVSS v3.1
- 7.3
- Severity
- HIGH
- Fixed in
- 140.12
- Affected Products
- 2
HarborGuard Analysis
Synopsis
An incorrect boundary condition vulnerability in the Graphics: CanvasWebGL component affects all versions of Mozilla Firefox and Thunderbird. The flaw is reachable over the network with no authentication required and no user interaction needed beyond normal browsing. Successful exploitation allows an attacker to read data from the affected process, modify in-memory state, and crash the application. A patched-image rebuild at Firefox 152 and Firefox ESR 140.12 (and the corresponding Thunderbird releases) is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-12324 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle Firefox or Thunderbird.
AvailableHarborGuard scores this CVE at 7.3 HIGH using the published CVSS v3.1 vector and weights findings against each environment's compliance policy, then routes alerts to the appropriate team inbox within the customer organization.
AvailableA patched-image rebuild at Firefox 152 and Firefox ESR 140.12 (Thunderbird 152 and Thunderbird 140.12 respectively) is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable component is exposed over the network, meaning an attacker can reach it from the internet or any network-adjacent position without requiring local system access.
- AuthenticationNot required
No account or credential of any privilege level is needed to deliver a malicious payload to the affected component.
- Victim interactionNot required
The attack can be carried out without any action from a user beyond normal use of the browser or mail client.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, specific memory layouts, or environmental prerequisites must be satisfied for the attack to succeed.
Blast Radius
- A successful attacker reads data from the renderer process memory, which may include page content, session state, or other in-scope data.
- A successful attacker modifies in-scope memory or in-process state, potentially altering rendered content or injecting data into the affected context.
- A successful attacker crashes the affected Firefox or Thunderbird process, causing a denial of service for the user session.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-12324 is active across all customer environments and matches any image that bundles an affected Firefox or Thunderbird release. Where a customer's compliance policy permits auto-remediation, HarborGuard rebuilds the image at the fixed versions (Firefox 152 or ESR 140.12, Thunderbird 152 or ESR 140.12), runs a regression test pass, and opens a PR against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers who manage remediation manually will find the fixed versions flagged in the HarborGuard findings dashboard with direct links to the upstream release notes.
Fix available
- Mozilla / FirefoxFixed in 140.12, 152
- Mozilla / ThunderbirdFixed in 140.12, 152
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L