Mozilla Foundation Security Advisory 2026-59
Security Vulnerabilities fixed in Firefox ESR 115.37
- Announced
- June 16, 2026
- Impact
- high
- Products
- Firefox ESR
- Fixed in
-
- Firefox ESR 115.37
#CVE-2026-12289: Privilege escalation in the Graphics: WebRender component
- Reporter
- choeseyeong
- Impact
- high
References
#CVE-2026-12290: Memory safety bug fixed in Firefox ESR 115.37
- Reporter
- jayjayjazz
- Impact
- high
References
#CVE-2026-12291: Use-after-free in the Networking: HTTP component
- Reporter
- Zijie Zhao
- Impact
- high
References
#CVE-2026-12294: Sandbox escape in the DOM: Workers component
- Reporter
- Quy Pham
- Impact
- high
References
#CVE-2026-12295: Sandbox escape in the DOM: Navigation component
- Reporter
- Yaqoub Aldurayhim
- Impact
- high
References
#CVE-2026-12297: Sandbox escape due to incorrect boundary conditions in the Networking component
- Reporter
- zx
- Impact
- high
References
#CVE-2026-12299: JIT miscompilation in the DOM: Core & HTML component
- Reporter
- Hyeonjun Ahn
- Impact
- high
References
#CVE-2026-12302: Mitigation bypass in the DOM: Security component
- Reporter
- lebr0nli
- Impact
- moderate
References
#CVE-2026-12330: Incorrect boundary conditions in the Internationalization component
- Reporter
- Mozilla Fuzzing Team
- Impact
- moderate
References
#CVE-2026-12325: Denial-of-service in the Graphics: ImageLib component
- Reporter
- Securin
- Impact
- low
References
#CVE-2026-12328: Memory safety bugs fixed in Firefox ESR 115.37, Firefox ESR 140.12, Thunderbird ESR 140.12, Firefox 152 and Thunderbird 152
- Reporter
- Andrew McCreight, Randell Jesup, Tom Ritter and the Mozilla Fuzzing Team
- Impact
- high
Description
Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.