CVE-2026-12328 – Firefox

CVSS 8.1 IMPORTANT High or Medium – Important Deployment

“Memory corruption bugs may stay hidden until they become a path to code execution.”

This patch addresses three memory safety vulnerabilities in Mozilla Firefox and Thunderbird. CVE-2026-12326, CVE-2026-12327, and CVE-2026-12328 affect multiple Firefox, Firefox ESR, and Thunderbird releases. Mozilla reported that these issues involve memory safety defects that showed evidence of memory corruption. Such conditions can potentially be leveraged to execute arbitrary code under certain circumstances.

CVE-2026-12326 has a CVSS score of 8.1, which is High severity. CVE-2026-12327 has a CVSS score of 8.1, which is High severity. CVE-2026-12328 has a CVSS score of 8.1, which is High severity.

The vulnerabilities were corrected in Firefox 152, Thunderbird 152, Firefox ESR 140.12, Thunderbird ESR 140.12, and Firefox ESR 115.37, depending on the affected product branch. While no verified exploitation has been reported, the presence of memory corruption behavior increases the security risk and warrants prompt patching.

Key Details

Affected Product
Mozilla Firefox
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
CWE Classification
CWE-120
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.