CVE-2026-12328
Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these
CVSS
8.1
High
EPSS
0.5%
p38
KEV
—
Exploit Today
11
0-100
Published: Jun 16, 2026 · Last modified: Jul 15, 2026 · CWE-120 · CWE-825
0.5%EPSS · 30 days0.5%
2026-06-302026-07-17
Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
- bugzilla.mozilla.orghttps://bugzilla.mozilla.org/buglist.cgi?bug_id=2029402%2C2038477%2C2039726%2C2041373%2C2042268%2C2042451%2C2042782%2C2042858%2C2042929%2C2042965%2C2043213
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-57/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-58/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-59/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-60/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-61/
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:27717
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:27733
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:27734
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:29940
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:30846
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:33445
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36100
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36101
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36102
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36103
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:37210
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:37391
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:38506
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:38750
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-312778.8 HIG71.0%
KEV—71Apple Multiple Products Buffer Overflow Vulnerability3dCVE-2025-154678.8 HIG98.7%
——30Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with
maliciously crafted AEAD parameters can trigger a stack buffer overflow.
Impact summary: A stack buffer overflow may lead to a crash, causing Denial
of Service, or potentially remote code execution.
When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as
AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is
copied into a fixed-size stack buffer without verifying that its length fits
the destination. An attacker can supply a crafted CMS message with an
oversized IV, causing a stack-based out-of-bounds write before any
authentication or tag verification occurs.
Applications and services that parse untrusted CMS or PKCS#7 content using
AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable.
Because the overflow occurs prior to authentication, no valid key material
is required to trigger it. While exploitability to remote code execution
depends on platform and toolchain mitigations, the stack-based write
primitive represents a severe risk.
The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this
issue, as the CMS implementation is outside the OpenSSL FIPS module
boundary.
OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.
OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.3dCVE-2026-276548.2 HIG97.4%
——29NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.3dCVE-2022-374349.8 CRI96.5%
——29zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).4dCVE-2026-335267.5 HIG94.7%
——28Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.3dCVE-2024-548878.0 HIG91.7%
——28TP-Link TL-WR940N V3 and V4 with firmware 3.16.9 and earlier contain a buffer overflow via the dnsserver1 and dnsserver2 parameters at /userRpm/Wan6to4TunnelCfgRpm.htm. This vulnerability allows an authenticated attacker to execute arbitrary code on the remote device in the context of the root user.14d