CVE-2026-12330: 
NixOS Schwachstellenanalyse und -minderung

CVE-2026-12330 is a vulnerability caused by incorrect boundary conditions in the Internationalization component of Mozilla Firefox and Thunderbird. Discovered by the Mozilla Fuzzing Team and disclosed on June 16, 2026, it affects Firefox ESR versions prior to 140.12 and 115.37, as well as Thunderbird prior to 140.12. It carries a CVSS v3.1 base score of 5.4 (Medium), though Mozilla rates its impact as moderate (Mozilla Advisory mfsa2026-58, Mozilla Advisory mfsa2026-59).

The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), stemming from incorrect boundary checks within Firefox's Internationalization (i18n) component. An attacker can exploit this via a network-based attack vector requiring user interaction (e.g., visiting a malicious web page), with no privileges required. The bug was identified through fuzzing (Bug 2029326) and the underlying details remain restricted in Mozilla's Bugzilla (Mozilla Advisory mfsa2026-58, Mozilla Advisory mfsa2026-59). No public proof-of-concept exploit code has been identified at this time.

Successful exploitation could result in limited confidentiality and integrity impacts, consistent with the CVSS scoring of low confidentiality and low integrity impact with no availability impact. An attacker who tricks a user into visiting a crafted web page could potentially read or manipulate data processed by the Internationalization component. The vulnerability's moderate severity and requirement for user interaction limit its scope compared to higher-severity memory safety issues patched in the same release cycle (Mozilla Advisory mfsa2026-58, Mozilla Advisory mfsa2026-59).

Mozilla has released patches addressing CVE-2026-12330 in Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 140.12, all announced on June 16, 2026. Users and administrators should update to these versions or later immediately. No configuration-based workarounds have been published; upgrading to a patched release is the only recommended remediation (Mozilla Advisory mfsa2026-58, Mozilla Advisory mfsa2026-59).

The vulnerability was reported by the Mozilla Fuzzing Team as part of a broader June 16, 2026 security release that addressed numerous high- and moderate-severity issues across Firefox ESR and Thunderbird. No notable independent researcher commentary or significant social media discussion specific to CVE-2026-12330 has been identified, likely due to its moderate severity relative to other vulnerabilities patched in the same release (Mozilla Advisory mfsa2026-58).