CVE-2026-12329: 
NixOS Schwachstellenanalyse und -minderung

CVE-2026-12329 is a memory safety vulnerability affecting Mozilla Firefox ESR and Thunderbird ESR, classified as high impact by Mozilla. It was reported by Michael Froman and disclosed on June 16, 2026, as part of Mozilla Foundation Security Advisories 2026-58 and 2026-61. The vulnerability affects Firefox ESR versions prior to 140.12 and Thunderbird ESR versions prior to 140.12. It carries a CVSS v3.1 base score of 5.3 (Medium), though Mozilla rates its impact as high (Mozilla Advisory, GitHub Advisory).

The vulnerability is rooted in memory safety issues within the browser engine, classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), with associated weaknesses including CWE-416 (Use After Free) and CWE-476 (NULL Pointer Dereference) (GitHub Advisory). The flaw is network-accessible, requires no privileges and no user interaction, and has low attack complexity, meaning a remote unauthenticated attacker could potentially trigger the memory safety bug via crafted web content. The specific internal component affected is not publicly disclosed, as the underlying Bugzilla bug report (Bug 2044738) is access-restricted (Mozilla Advisory). No public proof-of-concept code has been identified at this time.

Successful exploitation of this vulnerability primarily affects availability, with the CVSS scoring reflecting a low availability impact and no direct confidentiality or integrity impact (GitHub Advisory). However, Mozilla's own classification of the issue as "high" impact suggests that memory corruption conditions could, under certain circumstances, be leveraged for more severe outcomes such as arbitrary code execution. In Thunderbird, Mozilla notes that such flaws generally cannot be exploited through email since scripting is disabled when reading mail, but they remain risks in browser or browser-like contexts (Mozilla Advisory).

Mozilla has released patched versions addressing this vulnerability: Firefox ESR 140.12 and Thunderbird ESR 140.12 (Mozilla Advisory, Mozilla Advisory). Users and administrators should update to these versions immediately. No configuration-based workarounds have been published; upgrading to the fixed release is the recommended and only confirmed remediation.

Mozilla published coordinated security advisories (MFSA 2026-58 and MFSA 2026-61) on June 16, 2026, addressing this and numerous other vulnerabilities in the same release cycle (Mozilla Advisory). No notable independent researcher commentary, social media discussion, or significant media coverage specific to CVE-2026-12329 has been identified beyond standard vulnerability aggregator coverage.