How is CVE-2026-12326 exploited?

Network reachability (required): The attacker must reach the affected application over the network, for example by serving malicious content to a browser or mail client exposed to internet or internal network traffic. Authentication (not-required): No account or credentials are needed; the vulnerability is reachable by any unauthenticated party who can deliver content to the affected application. Victim interaction (not-required): No user action beyond normal application use is required to trigger the vulnerability. Attack complexity (info): The exploit is reliable and imposes no special preconditions; no race conditions or specific memory layout requirements are noted in the CVSS scoring.

What is the impact of CVE-2026-12326?

An attacker can read data accessible to the Firefox or Thunderbird process, including in-memory session tokens, cached credentials, and rendered page content. An attacker can modify data within the process, potentially altering rendered content or in-memory application state. The affected application process can be crashed, causing a denial of service for the end user. With sufficient exploitation effort against the memory corruption primitives, an attacker may execute arbitrary code under the permissions of the browser or mail client process.

Back to search

HIGHCVE-2026-12326Published 2026-06-16Modified 2026-06-16CNA mozilla

CVE-2026-12326: Memory safety bugs fixed in Firefox 152 and Thunderbird 152

Memory safety bugs present in Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: 152
Affected Products: 2

HarborGuard Analysis

Synopsis

Memory safety bugs, including evidence of memory corruption, affect Mozilla Firefox and Thunderbird versions prior to 152. The vulnerability is reachable over the network with no authentication or user interaction required, meaning any page or content served to the browser can trigger the flaws. Successful exploitation enables an attacker to read data, modify data, or crash the affected application, and with sufficient effort may allow arbitrary code execution. A patched-image rebuild at version 152 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection for CVE-2026-12326 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built images that bundle Firefox or Thunderbird binaries, not only upstream base images.

Available

Triage

HarborGuard scores this CVE at 7.3 HIGH (CVSS v3.1) and is capable of weighting that score against each customer environment's compliance policy to reflect local risk context. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to Firefox 152 and Thunderbird 152 becomes available through HarborGuard once an affected image is matched. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the affected application over the network, for example by serving malicious content to a browser or mail client exposed to internet or internal network traffic.
AuthenticationNot required
No account or credentials are needed; the vulnerability is reachable by any unauthenticated party who can deliver content to the affected application.
Victim interactionNot required
No user action beyond normal application use is required to trigger the vulnerability.
Attack complexityDetail
The exploit is reliable and imposes no special preconditions; no race conditions or specific memory layout requirements are noted in the CVSS scoring.

Blast Radius

An attacker can read data accessible to the Firefox or Thunderbird process, including in-memory session tokens, cached credentials, and rendered page content.
An attacker can modify data within the process, potentially altering rendered content or in-memory application state.
The affected application process can be crashed, causing a denial of service for the end user.
With sufficient exploitation effort against the memory corruption primitives, an attacker may execute arbitrary code under the permissions of the browser or mail client process.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against customer images continuously, covering both upstream Mozilla images and any custom images that bundle Firefox or Thunderbird binaries. For environments running a version prior to 152, a patched-image rebuild becomes available as soon as the affected image is identified. Customers with auto-remediation enabled receive a rebuilt image, a regression test run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage patching manually can use HarborGuard findings to prioritize this issue given its network-reachable, no-authentication attack surface and the concrete evidence of memory corruption in the upstream advisory.

See how HarborGuard automates this

Fix available

152

Affected packages

Mozilla / Firefox
Fixed in 152
Mozilla / Thunderbird
Fixed in 152

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available