CVE-2026-12328: 
NixOS Schwachstellenanalyse und -minderung

CVE-2026-12328 is a memory safety vulnerability affecting Mozilla Firefox, Firefox ESR, and Thunderbird, involving multiple memory corruption bugs that could be exploited to run arbitrary code. It affects Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151, and Thunderbird 151. The vulnerability was disclosed on June 16, 2026, and was reported by Andrew McCreight, Randell Jesup, Tom Ritter, and the Mozilla Fuzzing Team. It carries a CVSS v3.1 base score of 8.1 (High) (Mozilla Advisory mfsa2026-57, Mozilla Advisory mfsa2026-59).

The vulnerability is classified under CWE-120 (Buffer Copy without Checking Size of Input / Classic Buffer Overflow), stemming from memory safety bugs present across multiple Firefox and Thunderbird versions. Mozilla's description notes that some of these bugs showed evidence of memory corruption, and with sufficient effort, they could be exploited to achieve arbitrary code execution. The attack vector is network-based with high attack complexity, requiring no privileges or user interaction. The underlying bug IDs tracked in Mozilla's Bugzilla include 2029402, 2038477, 2039726, 2041373, 2042268, 2042451, 2042782, 2042858, 2042929, 2042965, and 2043213 (Mozilla Advisory mfsa2026-57, Mozilla Advisory mfsa2026-58).

Successful exploitation of CVE-2026-12328 could allow a remote attacker to execute arbitrary code on affected systems, resulting in high impact to confidentiality, integrity, and availability. Because the vulnerability requires no privileges and no user interaction, a network-accessible attacker could potentially compromise the browser process, access sensitive user data, or use the compromised browser as a foothold for further lateral movement within a network. The scope is limited to the affected application's security context, but arbitrary code execution in a browser environment poses significant risk to end-user systems (Mozilla Advisory mfsa2026-57, Mozilla Advisory mfsa2026-59).

Mozilla has released patched versions addressing CVE-2026-12328: Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird ESR 140.12. Users and administrators should update to these versions immediately. No configuration-based workarounds have been published; upgrading to a fixed release is the only recommended remediation (Mozilla Advisory mfsa2026-57, Mozilla Advisory mfsa2026-58, Mozilla Advisory mfsa2026-59).

The vulnerability was noted on social media platforms including Mastodon and Bluesky shortly after disclosure on June 16, 2026, with automated CVE tracking accounts sharing the advisory. Tenable published detection pipeline entries for the vulnerability. No significant independent researcher commentary or major media coverage has been identified beyond standard vulnerability tracking and aggregation services (Feedly).