Firefox 152 fixes high-severity security flaws that could lead to code execution

Mozilla has released Firefox 152 with fixes for multiple high-severity security vulnerabilities, including memory safety bugs, use-after-free flaws, privilege escalation issues, and sandbox escape weaknesses. The update was released on June 16, 2026, and users should install it as soon as possible.

The main security bulletin, MFSA 2026-57, lists dozens of vulnerabilities fixed in Firefox 152. Several of them affect browser components that process web content, which means a malicious page could become part of an exploit chain.

Mozilla separately says in its security impact ratings that high-severity bugs can be used to gather sensitive data from other windows or inject data or code into sites during normal browsing. Critical bugs carry a higher label, but this Firefox update still deserves urgent attention.

What Firefox 152 fixes

The Firefox 152 security update fixes flaws in WebRender, HTTP networking, WebGPU, DOM Workers, Navigation, process sandboxing, JavaScript JIT behavior, Web Audio, cookies, password manager code, graphics components, and several memory safety areas.

Mozilla’s Firefox 152 release notes confirm that version 152.0 was first offered to Release channel users on June 16, 2026. The same release also brings a redesigned Settings page and a new Private Browsing option that can temporarily disable tracker blocking for a broken tab.

The security part remains the most important reason to update. The bugs include several issues that could help an attacker move from browser compromise toward stronger control, especially if combined with sandbox escape vulnerabilities.

Area affected	Example issue	Risk
Graphics: WebRender	CVE-2026-12289	Privilege escalation
Networking: HTTP	CVE-2026-12291	Use-after-free memory corruption
Graphics: WebGPU	CVE-2026-12293	Use-after-free
DOM Workers and Navigation	CVE-2026-12294 and CVE-2026-12295	Sandbox escape
Process sandboxing	CVE-2026-12296	Sandbox escape
DOM and HTML JIT behavior	CVE-2026-12299	JIT miscompilation

Why these Firefox flaws matter

Browsers are high-value targets because they process untrusted web content every day. A user may only need to visit a malicious or compromised website for a browser vulnerability to become reachable.

Mozilla’s Firefox 152 advisory includes several memory safety entries. For CVE-2026-12326, Mozilla said some bugs showed evidence of memory corruption and could have been exploited to run arbitrary code with enough effort.

The NVD entry for CVE-2026-12326 repeats that description and confirms the bug was fixed in Firefox 152 and Thunderbird 152. Memory corruption flaws are especially important because attackers often use them as a first step in a larger exploit chain.

Sandbox escapes increase the risk

Modern browsers use sandboxing to limit what a compromised browser process can do. That design helps stop a web page exploit from immediately reaching the wider operating system.

Firefox 152 fixes several sandbox escape vulnerabilities, including flaws in DOM Workers, DOM Navigation, process sandboxing, and networking boundary checks. These issues matter because they can reduce the protection normally provided after an initial browser compromise.

The Center for Internet Security advisory also warns that the most serious Mozilla product vulnerabilities could allow arbitrary code execution. That does not mean every listed flaw causes full compromise by itself, but the collection of fixes creates a broad patching priority.

• Memory corruption bugs can help attackers gain code execution inside the browser.
• Sandbox escapes can help attackers weaken browser isolation.
• JIT miscompilation flaws can create unexpected execution behavior.
• Same-origin policy issues can expose data across web security boundaries.
• Information disclosure bugs can help attackers gather data for later stages.

Firefox ESR and Thunderbird also received fixes

Organizations that use Firefox Extended Support Release should also update. Mozilla published MFSA 2026-58 for Firefox ESR 140.12, which fixes many of the same high-severity and moderate-severity security issues.

Mozilla also released a separate Thunderbird security advisory, MFSA 2026-60, for Thunderbird 152. Mozilla notes that these flaws generally cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but they can still matter in browser-like contexts.

This distinction matters for administrators. Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12 all appear in the wider June Mozilla security update set, but they do not all fall under one advisory.

Product	Update to install	Primary advisory
Firefox	Firefox 152	MFSA 2026-57
Firefox ESR 140	Firefox ESR 140.12	MFSA 2026-58
Firefox ESR 115	Firefox ESR 115.37	MFSA 2026-59
Thunderbird	Thunderbird 152	MFSA 2026-60
Thunderbird ESR	Thunderbird 140.12	MFSA 2026-61

Important vulnerabilities in the update

The June 2026 patch set includes a long list of CVEs, but several stand out because they affect core browser security boundaries. CVE-2026-12291 is a use-after-free bug in HTTP networking, while CVE-2026-12293 affects WebGPU.

CVE-2026-12294, CVE-2026-12295, CVE-2026-12296, and CVE-2026-12297 involve sandbox escape conditions. CVE-2026-12299 involves JIT miscompilation in DOM Core and HTML components.

The CVE-2026-12326 listing highlights memory safety bugs that affected Firefox 151 and Thunderbird 151 before Mozilla fixed them in the new versions.

Who should update first?

Everyone using Firefox should update, but some environments should prioritize the patch immediately. That includes businesses, schools, managed desktops, government systems, developers, and users who often open untrusted links.

Admins should also check whether ESR deployments have actually moved to the right branch. The Firefox ESR 140.12 advisory confirms fixes for the supported ESR 140 line, while older legacy environments may need Firefox ESR 115.37.

Thunderbird users should update as well, especially if they use features that open web-like content or integrate with browser components. The Thunderbird 152 advisory explains that email reading disables scripting, but browser-like contexts still carry potential risk.

• Home users should update Firefox to version 152 or later.
• Enterprise users should deploy Firefox ESR 140.12 where ESR is required.
• Legacy supported systems should move to Firefox ESR 115.37 when applicable.
• Thunderbird users should install Thunderbird 152 or Thunderbird 140.12 ESR.
• Admins should verify patch status through endpoint management or vulnerability scanners.

How to check and update Firefox

Firefox normally updates automatically, but users should still confirm the version after a major security release. Open the menu, go to Help, select About Firefox, and let the browser check for updates.

The Firefox 152 release page also links to downloads for supported platforms. Windows 8.1 and older systems are no longer supported by normal Firefox releases, so those users must use the appropriate ESR build if still eligible.

The broader Mozilla security advisory index is useful for tracking related Firefox, ESR, Thunderbird, and mobile advisories when several products receive fixes on the same day.

Bottom line

Firefox 152 is an important security update, not just a feature release. It fixes high-severity bugs across memory safety, WebGPU, HTTP networking, process sandboxing, DOM components, and JIT behavior.

The CIS advisory frames the broader Mozilla update as a patch set that could prevent arbitrary code execution in affected products. Users and organizations should treat the update as urgent even without public confirmation of active exploitation.

Install Firefox 152, update ESR systems to the correct supported release, and confirm Thunderbird systems have received the June 2026 fixes. Delaying browser updates gives attackers more time to study patched bugs and build reliable exploit chains.

FAQ