NSS 3.122 release notes
Introduction
Network Security Services (NSS) 3.122 was released on 19 March 2026.
Distribution Information
The HG tag is NSS_3_122_RTM. NSS 3.122 requires NSPR 4.38.2 or newer.
NSS 3.122 source distributions are available on ftp.mozilla.org for secure HTTPS download:
Other releases are available Release Notes.
Changes in NSS 3.122
Bug 2023209 - ensure permittedSubtrees don’t match wildcards that could be outside the permitted tree.
Bug 2023664 - run mach doc-lint from generate_release_doc.py.
Bug 2023207 - Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag.
Bug 2020614 - tls13_CopyEchConfigs uses PR_LIST_TAIL instead of loop variable.
Bug 2021911 - fix cipher spec count intermittent CI failures.
Bug 2021913 - fix Mlkem768x25519ShareDamager intermittent CI failures.
Bug 2023437 - lint the legacy documentation.
Bug 2023437 - lint the NSS 3.112.3 release notes.
Bug 2023437 - add a doc-lint CI job.
Bug 2020224 - Add more useful coverage reports to CI and fail if new commit isn’t tested.
Bug 1472747 - wrong alert for malformed TLS 1.3 Finished.
Bug 1916429 - Swap order of asserts and state check.
Bug 2022149 - set correct value of unused curve parameters in tls13_HandleKeyShare.
Bug 2017929 - GCM needs to check for various limits in FIPS mode.
Bug 2017938 - Get Key Length not working from ED and Montgomery keys.
Bug 2017927 - Not all ike modes are FIPS approved. Adjust the indicators when they aren’t.
Bug 2020721 - fix intermittent ssl.sh test failures on windows runners.
Bug 2017918 - FIPS indicators on HKDF needs to be restricted to TLS usage.
Bug 2017920 - Generate keys not getting indicators.
Bug 2020612 - improve error handling in smime_init_once.
Bug 1987288 - Detect CPU features on OpenBSD using elf_aux_info.
Bug 2019357 - RSA_EMSAEncodePSS should validate the length of mHash.
Bug 2020442 - more robustly distinguish SFTKSessionObject and SFTKTokenObjects.
Bug 2019194 - fix missing .S file error in Solaris Makefile builds.
Bug 2020486 - fix memory leak in NSC_GenerateKey error path.
Bug 2020615 - Missing SECFailure return after FATAL_ERROR in tls13_HandleEncryptedExtensions.
Bug 2020613 - release xmit buf lock on dtls13_MaybeSendKeyUpdate error paths.
Bug 2020849 - release 1stHandshakeLock on SSL_ResetHandshake error path.
Bug 2020188 - avoid null deref in mp_div_d sign normalization.
Bug 2017945 - Temp private key lifecycle is broken.
Bug 1851073 - protect rwSessionCount with slotLock.
Bug 2019224 - Remove invalid PORT_Free().
Bug 1828713 - Fix intermittent ClientGreaseKeyShare test failure.
Bug 2018200 - Fix kCtxStr len passed to tls_SignOrVerifyUpdate.
Bug 2019760 - patch upstream acvp-rust during checkout to avoid build failures.
Bug 2019760 - update acvp Dockerfile.
Bug 2017997 - CKA_PARAM_SET missing from the CK_ULONG list in softoken.
Bug 2018000 - CKA_SEED missing from isPrivate in the database.
Bug 2019717 - update abicheck expectation for __nss_InitLock.
Bug 2019327 - taskcluster: set NSS_DISABLE_LIBPKIX=1 in test env for static builds.
Bug 2019327 - tests: fix setup_policy to use ROOTCERTSFILE for root cert module path.
Bug 2019327 - tests: fix selfserv/httpserv PID handling and wait exit code for MSYS_NT.
Bug 2019327 - tests: add native_path helper for cross-platform path conversion.
Bug 2019327 - tstclnt, strsclnt: avoid DNS lookup for loopback addresses on Windows.
Bug 2019090 - avoid platform GCM for x64 iOS emulator builds.
Bug 2012002 - remove lock instrumentation feature.
Bug 2017923 - Move FIPS indicator structures out of fips_algorithms.h.
Bug 2018064 - all.sh is failing in FIPS SSL test in main tree.
Bug 1975973 - fix memory leaks in crmf tests.
Bug 2012547 - fix unsatisfiable condition in lg_getTrust.
Bug 2006218 - allow selfserv makefile build to use system zlib.
Bug 2002247 - Add allocation limit to pkcs12 decoding.
Bug 2012406 - Add text/html single-line example emails to NSS S/SMIME CMS tests.