Skip to content

⛐ It's the "twenty-nine CVEs but who's counting" release!

Latest
Latest

Choose a tag to compare

View all tags
@SyntaxError-PEBKAC SyntaxError-PEBKAC released this 17 Jun 17:32
140.12.0
88cf637
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

🔄 Updated to Firefox ESR 140.12.0.

🛡️ Addressed 29 CVEs from Mozilla Foundation Security Advisory 2026-58 (June 16, 2026). No critical severity, no active exploitation reported — though this is the heaviest patch cycle in the 140.x series so far: 12 high-severity patches including four separate sandbox escapes and a JIT miscompilation, 15 moderate, 2 low.

High severity:

  • CVE-2026-12289 — privilege escalation in the Graphics: WebRender component
  • CVE-2026-12290 — memory safety bug in Firefox ESR 140.12
  • CVE-2026-12291 — use-after-free in the Networking: HTTP component
  • CVE-2026-12292 — incorrect boundary conditions in the Web Audio component
  • CVE-2026-12294 — sandbox escape in the DOM: Workers component
  • CVE-2026-12295 — sandbox escape in the DOM: Navigation component
  • CVE-2026-12296 — sandbox escape in the Security: Process Sandboxing component
  • CVE-2026-12297 — sandbox escape via incorrect boundary conditions in the Networking component
  • CVE-2026-12298 — memory safety bug in Firefox ESR 140.12
  • CVE-2026-12299 — JIT miscompilation in the DOM: Core & HTML component
  • CVE-2026-12328 — memory safety bugs shared across ESR 115.37, ESR 140.12, and Firefox 152 (evidence of memory corruption, plausible RCE potential)
  • CVE-2026-12329 — memory safety bug in Firefox ESR 140.12

Moderate severity:

  • CVE-2026-12302 — mitigation bypass in the DOM: Security component
  • CVE-2026-12304 — same-origin policy bypass in the Networking: Cookies component
  • CVE-2026-12305 — memory safety bug in Firefox ESR 140.12
  • CVE-2026-12306 — memory safety bug in Firefox ESR 140.12
  • CVE-2026-12307 — memory safety bug in Firefox ESR 140.12
  • CVE-2026-12308 — memory safety bug in Firefox ESR 140.12
  • CVE-2026-12309 — memory safety bug in Firefox ESR 140.12
  • CVE-2026-12310 — memory safety bug in Firefox ESR 140.12
  • CVE-2026-12311 — information disclosure + sandbox escape in the Security: Process Sandboxing component
  • CVE-2026-12312 — memory safety bug in Firefox ESR 140.12
  • CVE-2026-12313 — information disclosure + sandbox escape in the Security: Process Sandboxing component
  • CVE-2026-12314 — memory safety bug in Firefox ESR 140.12
  • CVE-2026-12315 — mitigation bypass in the DOM: Security component
  • CVE-2026-12327 — memory safety bugs shared across ESR 140.12 and Firefox 152 (evidence of memory corruption, plausible RCE potential)
  • CVE-2026-12330 — incorrect boundary conditions in the Internationalization component

Low severity:

  • CVE-2026-12324 — incorrect boundary conditions in the Graphics: CanvasWebGL component
  • CVE-2026-12325 — denial-of-service in the Graphics: ImageLib component

✅ SHA512:

ducksteps.140.12.0.Setup.exe
c131a38b4a67ada34235076846650e42a97eb198709c4e20c633eb4fba9d24d18d2e49beb632cc8ec2633ead7243f1425f7e402663c18e5e3c7cf701db7cb269

ducksteps.140.12.0.Standalone.7z
5f7d77eda0af4535489a1d7d2901539c86dc81d9b97874142c6665279ab33dcc1343b524fb93af4c49b36de35c7c5fbb5bbb95b91a1be17d320e834f8c639799

ducksteps.140.12.0.Legacy.Setup.exe
5f0d8403b8a6f21da4b2a094aa8aa762d98697a53973dfdb5ac4778d6785dc4d9f704ad8fd4ef60824a0b3b3413f684f86cfc380010e760971e5a2b93f99808a

ducksteps.140.12.0.Legacy.Standalone.7z
023d97843a4b4796fd533ae739e2e168a91d7a14c4325d55b6b513bc8672cc4b2e1f1cfa36e216709166f76d2fbd496803a014051567cef97957bc2267c5744b

🚨 VirusTotal Results:

ducksteps.140.12.0.Setup.exe

ducksteps.140.12.0.Standalone.7z

ducksteps.140.12.0.Legacy.Setup.exe

ducksteps.140.12.0.Legacy.Standalone.7z

Assets 6
Loading
0 Join discussion