CVE Analysis 4 min read

CVE-2026-12293: Firefox and Thunderbird WebGPU use-after-free

CVE-2026-12293 CVSS 9.8 CRITICAL use-after-free

CVE-2026-12293 is a CVSS 9.8 CRITICAL use-after-free vulnerability in the Firefox plus Thunderbird WebGPU graphics component published 16 June 2026. Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

TL;DR: Firefox and Thunderbird WebGPU use-after-free, classified as CWE-416 (Use After Free). NVD plus Mozilla both score this 9.8 CRITICAL. Memory corruption in the WebGPU process is the exploitation path; the GPU process boundary is part of the Firefox sandbox model, so a successful UAF exploit creates a sandbox escape primitive on top of the browser-side compromise.

What This Vulnerability Is

Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

The National Vulnerability Database assigned this issue a CVSS base score of 9.8, placing it in the CRITICAL category. The identifier CVE-2026-12293 was published on 16 June 2026. The weakness class is CWE-416 (Use After Free).

CVE Identifier
CVE-2026-12293
CVSS Base Score
9.8 / 10.0 (CRITICAL)
Weakness Class
CWE-416 (Use After Free)
Published
16 June 2026
Affected Products
Mozilla Firefox before 152, Mozilla Thunderbird before 152
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2026-57/
Bugzilla
https://bugzilla.mozilla.org/show_bug.cgi?id=2039568

How a Sherlock Forensic Examiner Triages a Suspected Firefox WebGPU Compromise

If you suspect this vulnerability has been exploited against a user workstation running Firefox or Thunderbird the first artifact a Sherlock forensic examiner pulls is the browser crash record. Firefox writes crash reports to %APPDATA%\Mozilla\Firefox\Crash Reports\ on Windows or ~/.mozilla/firefox/Crash Reports/ on Linux. Preserve any minidump (.dmp) plus extra information (.extra) files with SHA-256 hashes. The crash signature is the key forensic field. UAF exploitation against the GPU process usually produces a recognizable crash signature in the mozilla::webgpu stack frames. Cross-reference any crash in the suspected exploitation window with the navigation timeline in %APPDATA%\Mozilla\Firefox\Profiles\<profile>.default\places.sqlite. The Sherlock Forensics Browser Viewer Forensic Edition opens the places.sqlite database without a running Firefox instance.

The second artifact is the process tree. Firefox uses a multi-process architecture with separate processes for the main browser, content renderers, GPU plus utility tasks. A WebGPU exploit that escapes the GPU process boundary produces anomalous process activity. On Windows pull Sysmon Event ID 1 process creation logs for firefox.exe children. Legitimate children are other firefox.exe plus updater binaries. Anything else, especially cmd.exe, powershell.exe, certutil.exe or any unsigned executable, is the post-exploitation pivot.

The third artifact is the browser cache plus network state. The exploit page must have loaded; its content is in the cache. The Browser Viewer parses Chrome plus Firefox plus Edge plus Safari plus Tor cache structures. Preserve %LOCALAPPDATA%\Mozilla\Firefox\Profiles\<profile>.default\cache2\ with a SHA-256 hash. Look for cached responses with content-type indicators of WebGPU shader payloads (typically text/wgsl or compute shader binary blobs).

The fourth artifact is the persistence layer. An attacker who achieved code execution will attempt to survive a browser restart. Pull the Run key registry hives (HKCU\Software\Microsoft\Windows\CurrentVersion\Run plus the corresponding HKLM key), scheduled tasks plus WMI event subscriptions. Diff against the workstation imaging baseline. Net-new persistence created within 24 hours of the suspected exploitation is high-confidence indicator of compromise.

Detection Signature

Illustrative Sigma rule. Tune the firefox-children allowlist to your baseline before production deployment.

title: Firefox or Thunderbird WebGPU Post-Exploit Process Spawn CVE-2026-12293
id: cve-2026-12293-firefox-child-process
status: experimental
description: Detects post-exploitation child processes spawned from firefox.exe or thunderbird.exe consistent with WebGPU UAF sandbox escape.
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\firefox.exe'
      - '\thunderbird.exe'
  filter_legitimate:
    Image|endswith:
      - '\firefox.exe'
      - '\thunderbird.exe'
      - '\updater.exe'
  condition: selection and not filter_legitimate
level: high

What to Do About It

  1. Update Firefox plus Thunderbird to v152 or later. Follow the Mozilla Foundation Security Advisory. The patch is bundled in the same update cycle.
  2. Run the forensic triage above on any system showing the indicator pattern. The Browser Viewer is the canonical Sherlock tool for the cache plus history plus crash report plus profile analysis sequence.
  3. Subscribe to the CISA Known Exploited Vulnerabilities catalog. Treat additions to the CISA KEV catalog as emergency patch tickets.
  4. Document your response. Record what you checked, what you patched plus what residual risk remains. This matters for compliance plus any incident response activity that follows.

References and Further Reading