firefox vulnerability (CVE-2026-12293)
CRITICALUse-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

Mozilla product CVE coverage — Firefox, Thunderbird, browser engine, and certificate-handling vulnerabilities.
Watch items
Showing the 20 most recent items, newest first. Each row links to the official advisory.
20 rows · sorted newest first
Operations viewUse-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.
Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.
Denial-of-service in the Libraries component in NSS. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Denial-of-service in the XML component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Undefined behavior in the Audio/Video component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Incorrect boundary conditions in the Graphics: Text component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Information disclosure in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
| Alert | Exposure | Status | Published | Source |
|---|---|---|---|---|
firefox vulnerability (CVE-2026-12293)Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. firefox | CRITICALCVE-2026-12293 Watch | watch | Jun 16, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-5735)Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2. firefox | CRITICALCVE-2026-5735 Watch | watch | Apr 7, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-5734)Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1. firefox | CRITICALCVE-2026-5734 Watch | watch | Apr 7, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4727)Denial-of-service in the Libraries component in NSS. This vulnerability was fixed in Firefox 149 and Thunderbird 149. firefox | HIGHCVE-2026-4727 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4726)Denial-of-service in the XML component. This vulnerability was fixed in Firefox 149 and Thunderbird 149. firefox | HIGHCVE-2026-4726 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4725)Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149 and Thunderbird 149. firefox | CRITICALCVE-2026-4725 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4724)Undefined behavior in the Audio/Video component. This vulnerability was fixed in Firefox 149 and Thunderbird 149. firefox | CRITICALCVE-2026-4724 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4723)Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149 and Thunderbird 149. firefox | CRITICALCVE-2026-4723 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4719)Incorrect boundary conditions in the Graphics: Text component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox | HIGHCVE-2026-4719 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4718)Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox | HIGHCVE-2026-4718 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4717)Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox | CRITICALCVE-2026-4717 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4716)Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox | CRITICALCVE-2026-4716 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4715)Uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox | CRITICALCVE-2026-4715 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4714)Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox | HIGHCVE-2026-4714 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4713)Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox | HIGHCVE-2026-4713 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4712)Information disclosure in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox | HIGHCVE-2026-4712 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4711)Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox | CRITICALCVE-2026-4711 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4710)Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox | CRITICALCVE-2026-4710 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4709)Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox | HIGHCVE-2026-4709 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
firefox vulnerability (CVE-2026-4708)Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. firefox | HIGHCVE-2026-4708 Watch | watch | Mar 24, 2026, 8:16 AM | NVDOpen source |
Vendor watch hub
The Mozillawatch hub is a vendor-specific view inside ITECS MSP Threat Radar. We pull the latest security advisories, incidents, and known-exploited CVEs directly from the official feeds below, score each one for MSP relevance, and surface what's most likely to need attention this week.
At a glance
Tracked
Active
Featured
Unique CVEs
Most recent entry
Jun 16, 2026, 8:16 AM
Feed refreshes daily · 5:15 a.m. Central
Sources·CISA KEV and NVD (product vendor coverage)
"Most recent entry" is the newest item the upstream feed has published — not our sync time.
ITECS response pathways
These pathways connect the vendor watch feed into service-owner resources that already carry commercial authority.
Use the endpoint detection & response pathway when this vendor alert needs an ITECS-managed response plan.
Connect the vendor watch page to broader managed detection, response, and governance planning.
Translate current watch items into a faster risk snapshot and prioritized remediation plan.
Return to the hub for cross-vendor prioritization, live filtering, and broader MSP threat context.
Vendor watch FAQ
It is the Mozilla-specific view inside ITECS Threat Radar, built to track recent advisories, incidents, and watch items that may affect Dallas-area business operations.
Use it to confirm whether current Mozilla issues overlap with your environment, prioritize remediation, and decide whether you need an assessment, managed security follow-through, or vendor-specific hardening work.
Yes. ITECS can help map Mozilla advisories against your systems, validate affected services, prioritize remediation, and connect the issue to broader managed cybersecurity or managed IT workflows.