HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-12328Published Modified CNA mozilla

CVE-2026-12328: Memory safety bugs fixed in Firefox ESR 115.37, Firefox ESR 140.12, Thunderbird ESR 140.12, Firefox 152 and Thunderbird 152

Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
115.37
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Memory safety bugs, including evidence of memory corruption, affect Mozilla Firefox (all versions before 152 and ESR variants before 115.37 and 140.12) and Thunderbird (all versions before 152 and ESR 140.12). The vulnerability is reachable over the network without authentication or user interaction, though exploitation requires overcoming high attack complexity conditions. Successful exploitation enables an attacker to execute arbitrary code, read sensitive data, or tamper with application state. Patched-image rebuilds at versions 115.37, 140.12, and 152 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-12328 is available across every HarborGuard environment, with the CVE matched against images in customer registries and build pipelines within minutes of publication. Coverage includes custom-built images that bundle Firefox or Thunderbird binaries alongside other application layers.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 (HIGH) and weighting that score against each customer org's compliance policy to determine breach of threshold. Triage findings are routed to the appropriate inbox or ticketing integration configured within each customer environment.

Available
Patch

A patched-image rebuild at fix versions 115.37, 140.12, or 152 (as applicable to the base image) becomes available on HarborGuard once the upstream package is resolvable in the dependency graph. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the affected service over the network; there is no requirement for local access or physical proximity.

  • AuthenticationNot required

    No credentials or session token are needed; an unauthenticated attacker can attempt exploitation directly.

  • Victim interactionNot required

    The vulnerability does not require any action from a user or operator on the target system.

  • Attack complexityDetail

    Exploitation is rated high complexity, meaning the attacker must account for race conditions, specific memory layout states, or other environmental factors that are not fully under their control.

Blast Radius

  • A successful attacker executes arbitrary code in the context of the Firefox or Thunderbird process, gaining the same OS-level permissions as the running application.
  • Confidential data accessible to the browser or mail client, such as stored credentials, session cookies, and message content, can be read directly.
  • The attacker can modify in-process data or persisted application state, including cached files and profile data.
  • The affected process can be crashed or made unresponsive, disrupting access to the application for the duration of the attack.

How HarborGuard Handles This

Available on HarborGuard: images containing affected Firefox or Thunderbird versions are flagged automatically against CVE-2026-12328 as part of each ingest cycle. For customers with auto-remediation enabled and compliance policies that permit automated changes, HarborGuard can rebuild the affected image at the appropriate fix version (115.37, 140.12, or 152), execute a regression test run, and open a pull request against impacted workloads. Median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS 8.1 scoring and fix-version detail so engineering teams can prioritize the upgrade manually. Given the high attack complexity rating, teams should also consider network-policy controls that limit which services can initiate outbound connections from containers running these applications, reducing the window for exploitation while the patch is staged.

See how HarborGuard automates this

Fix available

115.37140.12152
Affected packages
  • Mozilla / Firefox
    Fixed in 115.37, 140.12, 152
  • Mozilla / Thunderbird
    Fixed in 140.12, 152
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References