nss_3_124.rst - mozsearch

.. _mozilla_projects_nss_nss_3_124_release_notes:

NSS 3.124 release notes

=======================

`Introduction <#introduction>`__

--------------------------------

.. container::

   Network Security Services (NSS) 3.124 was released on *15 May 2026*.

`Distribution Information <#distribution_information>`__

--------------------------------------------------------

.. container::

   The HG tag is NSS_3_124_RTM. NSS 3.124 requires NSPR 4.38.2 or newer.

   NSS 3.124 source distributions are available on ftp.mozilla.org for secure HTTPS download:

   -  Source tarballs:

      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_124_RTM/src/

   Other releases are available :ref:`mozilla_projects_nss_releases`.

.. _changes_in_nss_3.124:

`Changes in NSS 3.124 <#changes_in_nss_3.124>`__

------------------------------------------------------------------

.. container::

   - Bug 2032562 - Add test for PKCS7 digest array alignment.

   - Bug 2030093 - Add test for rejection of excessively large ASN.1 SEQUENCE OF in quickder.

   - Bug 2030994 - Add test for CMS content size validation.

   - Bug 2030995 - Add regression tests for DSAU signature decoding.

   - Bug 2031030 - Add test for S/MIME profile lookup on temp certs.

   - Bug 2031343 - Test case for post-handshake auth and many certificate requests.

   - Bug 2019233 - Add test for intra-arena ASan redzones.

   - Bug 2033058 - update nss_status flags one at a time.

   - Bug 2029803 - add defensive info->len check in PK11_HPKE_SetupS and PK11_HPKE_SetupR.

   - Bug 2029403 - avoid PORT_Strdup in ssl_DecodeResumptionToken.

   - Bug 2020596 - add runtime check on decoded resumption token session id.

   - Bug 2035882 - improve mach try error handling.

   - Bug 2030798 - clang format.

   - Bug 2030798 - add comprehensive SECItem and SECItemArray tests.

   - Bug 2033058 - add bugzilla_cf_status_nss.py script.

   - Bug 2033057 - regenerate some recent release notes.

   - Bug 2033057 - fix bug list output by release note and email scripts.

   - Bug 2031190 - test removal from trust domain email cache.

   - Bug 2033208 - fix "testing if key corruption is detected in attribute" failures with sqlite-3.53.0.

   - Bug 2035348 - build sqlite3 shell for Windows CI runners.

   - Bug 2030366 - avoid race with module unloading in NSSTrustDomain_FindTokensByURI.

   - Bug 2030192 - add ImportEd25519WithNonEmptyAlgorithmParams test.

   - Bug 2034258 - add CLAUDE.md and .mcp.json.

   - Bug 2034244 - add a mach try command.

   - Bug 2031042 - remove dead condition in sec_asn1d_check_and_subtract_length.

   - Bug 2030374 - avoid integer truncation in nssCKObject_GetAttributes.

   - Bug 2030564 - add defensive input validation to sftk_compute_ANSI_X9_63_kdf.

   - Bug 2029765 - avoid refcount over-release in nssTokenObjectCache error path [@ nssToken_Destroy].

   - Bug 2029883 - sdb: enforce that metaData's id key is unique when reading.

   - Bug 2023478 - improve handling of escape sequences in pk11uri_ParseAttributes.

   - Bug 2030570 - use correct data for ID comparison in transfer_uri_certs_to_collection.

   - Bug 2030573 - fix truncation of ulValueLen in sdb_FindObjectsInit.

   - Bug 2033783 - reject DTLS 1.3 Server Hello after HVR without capping ss->vrange.max.

   - Bug 2034157 - set previous-nss-release for abicheck.

   - Bug 2032389 - Skip `PR_Sleep` yield for non-blocking sockets in `ssl3_SendApplicationData`.

   - Bug 2033650 - consistently protect PK11SlotInfo::maxKeyCount with freeListLock.

   - Bug 2030985 - Remove CRMF from testing and manifests.

   - Bug 2026711 - Remove unused RSA blind signature implementation from freebl.