CVE-2026-12294

Published Jun 16, 2026

Last updated 2 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-12294 is identified as a sandbox escape vulnerability found within the DOM Workers component of Mozilla Firefox. This flaw was reported by Quy Pham. The vulnerability has been addressed and resolved in several product versions, including Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37. The fix was also applied to Thunderbird 152 and Thunderbird 140.12. This remediation was part of a broader security update that tackled various other high-impact vulnerabilities across different Firefox components.

Description: Sandbox escape in the DOM: Workers component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
Source: security@mozilla.org
NVD status: Analyzed
Products: firefox, thunderbird

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.6
Impact score: 6
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-693

Hype score: Not currently trending

Firefox-152でUse-After-Free（解放済みメモリの再利用）やサンドボックスエスケープなどHigh評価の脆弱性が複数修正されています。HTTPのUse-After-Free（CVE-2026-12291）、WebGPUのUse-After-Free（CVE-2026-12293）、サンドボック
@MalwareBibleJP
20 Jun 2026
2070 Impressions
5 Retweets
11 Likes
2 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*",
            "matchCriteriaId": "60E86F4A-420C-4F69-8081-79D1F64411C7",
            "versionEndExcluding": "115.37.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*",
            "matchCriteriaId": "26C07C15-4B40-4068-A2F1-BE3E597D14B7",
            "versionEndExcluding": "152.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*",
            "matchCriteriaId": "034DA8EC-AD2B-4304-974F-078901E541D1",
            "versionEndExcluding": "140.12.0",
            "versionStartIncluding": "128.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*",
            "matchCriteriaId": "767E6445-0CE7-46B5-A02B-EC06D37E45F8",
            "versionEndExcluding": "140.12.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*",
            "matchCriteriaId": "77D88ED0-AABD-4312-98B8-3D4B70226577",
            "versionEndExcluding": "152.0.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.