CVE-2026-12299: Mozilla Firefox JIT Miscompilation Flaw

CVE-2026-12299 Overview

CVE-2026-12299 is a Just-In-Time (JIT) miscompilation vulnerability in the DOM: Core & HTML component of Mozilla Firefox and Thunderbird. The flaw is classified as a type confusion issue [CWE-843], where the JIT compiler generates code that operates on values of an unexpected type. Mozilla fixed the issue in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. Exploitation requires user interaction, such as visiting a malicious web page or rendering attacker-controlled HTML inside the email client.

Critical Impact
A remote attacker can leverage JIT miscompilation to trigger type confusion in the DOM engine, leading to limited confidentiality and integrity impact through attacker-controlled web content.

Affected Products

Mozilla Firefox prior to 152
Mozilla Firefox ESR prior to 140.12 and 115.37
Mozilla Thunderbird prior to 152 and 140.12

Discovery Timeline

2026-06-16 - CVE-2026-12299 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-12299

Vulnerability Analysis

The vulnerability resides in the JavaScript JIT compiler interacting with the DOM: Core & HTML component. Modern JavaScript engines speculate on object shapes and value types to emit optimized native code. When the compiler's assumptions diverge from runtime reality, the emitted machine code interprets memory using the wrong type. This category of bug is tracked as type confusion under [CWE-843].

In this case, the miscompilation occurs while handling DOM objects exposed through Core & HTML interfaces. An attacker who controls the script running against these interfaces can force the JIT into a state where compiled code mishandles object representations. The result is limited disclosure of in-process data and limited integrity impact on engine state. Mozilla rates the issue at CVSS 5.4 with no availability impact reported.

Root Cause

The root cause is incorrect type assumptions made by the JIT optimizer for specific DOM: Core & HTML code paths. Optimized code skips runtime type checks the interpreter would normally perform. When an attacker arranges objects that violate the compiler's invariants, the optimized path reads or writes memory through the wrong type lens, producing type confusion.

Attack Vector

Exploitation occurs over the network and requires user interaction. A victim must load attacker-controlled web content in Firefox or render attacker-controlled HTML in Thunderbird. No privileges or prior authentication are required. The Mozilla Bugzilla report (bug 2043139) and advisories MFSA-2026-57 through MFSA-2026-61 document the affected code paths.

No public proof-of-concept code is available. See the Mozilla Bugzilla Report for technical details once Mozilla unrestricts the bug.

Detection Methods for CVE-2026-12299

Indicators of Compromise

Firefox or Thunderbird processes crashing with signatures referencing JIT-compiled stubs or DOM bindings on systems still running pre-patch versions.
Outbound connections from browser or mail client processes to recently registered domains immediately after rendering untrusted HTML.
Unexpected child processes spawned by firefox.exe or thunderbird.exe shortly after a browsing or email-rendering session.

Detection Strategies

Inventory Firefox and Thunderbird versions across endpoints and flag any build older than the fixed releases (Firefox 152, ESR 140.12, ESR 115.37, Thunderbird 152, Thunderbird 140.12).
Hunt for anomalous memory access patterns or crash dumps generated by browser and Thunderbird processes, which often precede successful type confusion exploitation.
Correlate web proxy and DNS telemetry with browser process activity to identify users visiting attacker infrastructure delivering malicious scripts.

Monitoring Recommendations

Forward Windows Error Reporting, macOS crash logs, and Linux core dumps from user endpoints to a central log store for triage.
Monitor EDR telemetry for browser processes performing unusual file writes, registry changes, or network calls following script execution.
Track Mozilla advisories MFSA-2026-57 through MFSA-2026-61 for any updates or related follow-up CVEs.

How to Mitigate CVE-2026-12299

Immediate Actions Required

Update Firefox to version 152 or later on all managed endpoints.
Update Firefox ESR deployments to 140.12 or 115.37 depending on the ESR channel in use.
Update Thunderbird to version 152 or 140.12 across mail clients.
Restart browser and mail client processes after patching to ensure new binaries are loaded.

Patch Information

Mozilla addressed CVE-2026-12299 in the June 2026 release cycle. Patch details are published in Mozilla Security Advisory MFSA-2026-57, MFSA-2026-58, MFSA-2026-59, MFSA-2026-60, and MFSA-2026-61. Administrators should apply vendor-supplied builds rather than building from source to ensure all related fixes are present.

Workarounds

Disable JavaScript on untrusted sites using browser policies or extensions where patching is delayed.
Configure Thunderbird to render messages as plain text to reduce exposure to attacker-controlled HTML and scripts.
Restrict outbound network access from endpoints running unpatched browser versions until upgrades complete.

bash

# Verify installed Firefox version on Linux endpoints
firefox --version

# Example enterprise policy snippet to disable JavaScript on untrusted zones
# /etc/firefox/policies/policies.json
{
  "policies": {
    "JavaScriptDisabled": ["http://untrusted.example"]
  }
}