NSS 3.124 release notes

Introduction

Network Security Services (NSS) 3.124 was released on 15 May 2026.

Distribution Information

The HG tag is NSS_3_124_RTM. NSS 3.124 requires NSPR 4.38.2 or newer.

NSS 3.124 source distributions are available on ftp.mozilla.org for secure HTTPS download:

• Source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_124_RTM/src/

Other releases are available Release Notes.

Changes in NSS 3.124

• Bug 2032562 - Add test for PKCS7 digest array alignment.

• Bug 2030093 - Add test for rejection of excessively large ASN.1 SEQUENCE OF in quickder.

• Bug 2030994 - Add test for CMS content size validation.

• Bug 2030995 - Add regression tests for DSAU signature decoding.

• Bug 2031030 - Add test for S/MIME profile lookup on temp certs.

• Bug 2031343 - Test case for post-handshake auth and many certificate requests.

• Bug 2019233 - Add test for intra-arena ASan redzones.

• Bug 2033058 - update nss_status flags one at a time.

• Bug 2029803 - add defensive info->len check in PK11_HPKE_SetupS and PK11_HPKE_SetupR.

• Bug 2029403 - avoid PORT_Strdup in ssl_DecodeResumptionToken.

• Bug 2020596 - add runtime check on decoded resumption token session id.

• Bug 2035882 - improve mach try error handling.

• Bug 2030798 - clang format.

• Bug 2030798 - add comprehensive SECItem and SECItemArray tests.

• Bug 2033058 - add bugzilla_cf_status_nss.py script.

• Bug 2033057 - regenerate some recent release notes.

• Bug 2033057 - fix bug list output by release note and email scripts.

• Bug 2031190 - test removal from trust domain email cache.

• Bug 2033208 - fix “testing if key corruption is detected in attribute” failures with sqlite-3.53.0.

• Bug 2035348 - build sqlite3 shell for Windows CI runners.

• Bug 2030366 - avoid race with module unloading in NSSTrustDomain_FindTokensByURI.

• Bug 2030192 - add ImportEd25519WithNonEmptyAlgorithmParams test.

• Bug 2034258 - add CLAUDE.md and .mcp.json.

• Bug 2034244 - add a mach try command.

• Bug 2031042 - remove dead condition in sec_asn1d_check_and_subtract_length.

• Bug 2030374 - avoid integer truncation in nssCKObject_GetAttributes.

• Bug 2030564 - add defensive input validation to sftk_compute_ANSI_X9_63_kdf.

• Bug 2029765 - avoid refcount over-release in nssTokenObjectCache error path [@ nssToken_Destroy].

• Bug 2029883 - sdb: enforce that metaData’s id key is unique when reading.

• Bug 2023478 - improve handling of escape sequences in pk11uri_ParseAttributes.

• Bug 2030570 - use correct data for ID comparison in transfer_uri_certs_to_collection.

• Bug 2030573 - fix truncation of ulValueLen in sdb_FindObjectsInit.

• Bug 2033783 - reject DTLS 1.3 Server Hello after HVR without capping ss->vrange.max.

• Bug 2034157 - set previous-nss-release for abicheck.

• Bug 2032389 - Skip PR_Sleep yield for non-blocking sockets in ssl3_SendApplicationData.

• Bug 2033650 - consistently protect PK11SlotInfo::maxKeyCount with freeListLock.

• Bug 2030985 - Remove CRMF from testing and manifests.

• Bug 2026711 - Remove unused RSA blind signature implementation from freebl.