SB2025072236 - openEuler 24.03 LTS SP2 update for thunderbird
Published: July 22, 2025 Updated: December 17, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 87 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-10458)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a permission leak via embed or object elements. A remote attacker can create a specially crafted webpage that embeds a trusted website and force the browser to inherit permissions from this trusted website.
2) Use-after-free (CVE-ID: CVE-2024-10459)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in layout with accessibility. A remote attacker can trick the victim into visiting a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
3) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2024-10460)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to the origin of an external protocol handler prompt can be obscured using a "data:" URL within an iframe. A remote attacker can perform spoofing attack.
4) Universal cross-site scripting (CVE-ID: CVE-2024-10461)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when handling multipart/x-mixed-replace responses. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of any website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Spoofing attack (CVE-ID: CVE-2024-10462)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to the browser truncates long URLs when displaying origin of permission prompt. A remote attacker can perform a spoofing attack by providing an overly long URL that looks like a trusted domain name.
6) Information disclosure (CVE-ID: CVE-2024-10463)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a cross-origin video frame leak. A remote attacker can trick the victim into visiting a specially crafted website and access video frames cross-origin from a different browser tab.
7) Resource management error (CVE-ID: CVE-2024-10464)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to repeated writes to history interface attributes. A remote attacker can crash the browser.
8) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2024-10465)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to a clipboard "paste" button persists across different tabs. A remote attacker can trick the victim into pasting content into a malicious tab.
9) Resource management error (CVE-ID: CVE-2024-10466)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when handling DOM push subscriptions. A remote attacker can send specially crafted data to the browser and crash it.
10) Buffer overflow (CVE-ID: CVE-2024-10467)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Information disclosure (CVE-ID: CVE-2024-11159)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error when handling remote content in in OpenPGP encrypted message. A remote attacker can gain contents of an encrypted message.
12) Buffer overflow (CVE-ID: CVE-2024-11691)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Apple GPU drivers. A remote attacker can trick the victim into visiting a specially crafted webpage, trigger memory corruption and execute arbitrary code on the target system.
Note, the vulnerability affects only installations on macOS operating system.
13) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2024-11692)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error, which leads to a select dropdown be shown over another tab. A remote attacker can perform spoofing attack against arbitrary website.
14) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2024-11693)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a file warning is not displayed when downloading .library-ms files. A remote attacker can trick the victim into downloading and execution malicious files on the system.
Note, the vulnerability affects only installations on Windows operating system.
15) Security features bypass (CVE-ID: CVE-2024-11694)
The vulnerability allows a remote attacker to bypass implemented CSP.
The vulnerability exists due to Enhanced Tracking Protection's Strict mode allows a CSP frame-src bypass and DOM-based XSS through the Google SafeFrame shim in the Web Compatibility extension. A remote attacker can masquerade malicious frames as legitimate content.
16) Spoofing attack (CVE-ID: CVE-2024-11695)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of URL containing Arabic script and whitespace characters. A remote attacker can spoof the URL of the website.
17) Improper error handling (CVE-ID: CVE-2024-11696)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper exception handling thrown by the loadManifestFromFile method when validating add-on signatures. A remote attacker can bypass the implemented signature verification process and perform installation of a malicious add-on.
18) Data Handling (CVE-ID: CVE-2024-11697)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper keypress handling in executable file confirmation dialog. A remote attacker can trick the victim into executing a malicious file.
19) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2024-11698)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error in handling fullscreen transitions. A remote attacker can force the browser to be stuck in the fullscreen mode even after pressing the "Esc" button and perform a spoofing attack.
Note, the vulnerability affects installations on macOS only.
20) Buffer overflow (CVE-ID: CVE-2024-11699)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
21) Double free (CVE-ID: CVE-2024-11704)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the sec_pkcs7_decoder_start_decrypt() function. A remote attacker can trick the victim into connecting to a specially crafted website, trigger a double free error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
22) Improper input validation (CVE-ID: CVE-2024-43097)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
23) Input validation error (CVE-ID: CVE-2024-50336)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper input validation when handling MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver.
24) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-8900)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to application does not properly impose security restrictions. A remote attacker can write data to the user's clipboard, bypassing the user prompt, during a certain sequence of navigational events.
25) Security features bypass (CVE-ID: CVE-2024-9392)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an unspecified error. A compromised content process perform arbitrary loading of cross-origin pages.
26) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-9393)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to application does not properly impose security restrictions. A remote attacker can use a specially crafted multipart response to execute arbitrary JavaScript under the resource://pdf.js origin and access cross-origin PDF content.
Note, this access is limited to "same site" documents by the Site Isolation feature on desktop clients, however the full cross-origin access is possible on Android installations.
27) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-9394)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to application does not properly impose security restrictions. A remote attacker can send a specially crafted multipart response and execute arbitrary JavaScript under the resource://devtools origin. This could allow them to access cross-origin JSON content.
Note, this access is limited to "same site" documents by the Site Isolation feature on desktop clients, however full cross-origin access is possible on Android.
28) Buffer overflow (CVE-ID: CVE-2024-9396)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when cloning certain objects. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
29) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2024-9397)
The vulnerability allows a remote attacker to perform clickjacking attacks.
The vulnerability exists due to a missing delay in directory upload UI. A remote attacker can trick a user into granting permission via clickjacking.
30) Information disclosure (CVE-ID: CVE-2024-9398)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a possibility to enumerate protocol handlers via the window.open() call. A remote attacker can enumerate installed applications on the system.
31) Input validation error (CVE-ID: CVE-2024-9399)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling WebTransport. A remote attacker can trick the victim into visiting a specially crafted website and crash the browser.
32) Resource exhaustion (CVE-ID: CVE-2024-9400)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources during JIT compilation. A remote attacker can crash the browser.
33) Buffer overflow (CVE-ID: CVE-2024-9401)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
34) Buffer overflow (CVE-ID: CVE-2024-9402)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
35) Use-after-free (CVE-ID: CVE-2024-9680)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in Animation timeline. A remote attacker can trick the victim into visiting a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
36) Unintended Proxy or Intermediary (CVE-ID: CVE-2025-0237)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to WebChannel API does not check the sending principal but rather accepted the principal being sent when transporting data across processes. A local user can perform confused deputy attack and escalate privileges on the system.
37) Use-after-free (CVE-ID: CVE-2025-0238)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when breaking lines in text. A remote attacker can trick the victim into visiting a specially crafted webpage and execute arbitrary code on the system.
38) Improper Certificate Validation (CVE-ID: CVE-2025-0239)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to Alt-Svc ALPN does not properly validate certificates when the original server is redirecting to an insecure site. A remote attacker can perform MitM attack.
39) Use-after-free (CVE-ID: CVE-2025-0240)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when parsing a JavaScript module as JSON. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the system.
40) Buffer overflow (CVE-ID: CVE-2025-0241)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
41) Buffer overflow (CVE-ID: CVE-2025-0242)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
42) Buffer overflow (CVE-ID: CVE-2025-0243)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
43) Spoofing attack (CVE-ID: CVE-2025-0510)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of a sender address if the From field of an email used the invalid group name syntax. A remote attacker can spoof the email content.
Note, the vulnerability is similar to #VU100312 (CVE-2024-49040).
44) Use-after-free (CVE-ID: CVE-2025-1009)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when handling XSLT data. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
45) Use-after-free (CVE-ID: CVE-2025-1010)
The vulnerability allows a remote attacker to compromise vulnerable system.
The
vulnerability exists due to a use-after-free error in Custom Highlight API. A remote attacker can trick the victim into visiting a specially
crafted website and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
46) Code Injection (CVE-ID: CVE-2025-1011)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation during WebAssembly code generation. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
47) Use-after-free (CVE-ID: CVE-2025-1012)
The vulnerability allows a remote attacker to compromise vulnerable system.
The
vulnerability exists due to a use-after-free error during concurrent delazification. A remote attacker can trick the victim into visiting a specially
crafted website and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
48) Race condition (CVE-ID: CVE-2025-1013)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a race condition when opening private browsing tabs. A remote attacker can force the browser to open private browsing tabs in normal browsing windows and gain access to sensitive information.
49) Improper certificate validation (CVE-ID: CVE-2025-1014)
The vulnerability allows a remote attacker to gain bypass implemented security restrictions.
The vulnerability exists due to improper certificate validation when adding certificates to a store. Firefox did not check certificate length, resulting only in trusted data being checked. A remote attacker can trick the victim into importing a malicious certificate into the certificate store and perform MitM attack.
50) Input validation error (CVE-ID: CVE-2025-1015)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when handling the Address Book URI fields. A remote attacker create and export an address book containing a malicious payload in a field, trick the victim into clicking on the link after importing the address book and a web page inside Thunderbird.
51) Buffer overflow (CVE-ID: CVE-2025-1016)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
52) Buffer overflow (CVE-ID: CVE-2025-1017)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
53) Use-after-free (CVE-ID: CVE-2025-1930)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in the Browser process when handling StreamData sent over AudioIPC. A remote attacker can trick the victim into visiting a specially crafted web page and execute arbitrary code on the system.
The vulnerability affects Firefox installations on Windows only.
54) Use-after-free (CVE-ID: CVE-2025-1931)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in WebTransportChild. A remote attacker can trick the victim into visiting a specially crafted website, trigger a use-after-free in the content process side of a WebTransport connection and execute arbitrary code on the system.
55) Out-of-bounds write (CVE-ID: CVE-2025-1932)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to inconsistent comparison in xslt/txNodeSorter. A remote attacker can trick the victim into visiting a specially crafted web page, trigger an out-of-bounds write and execute arbitrary code on the target system.
56) Buffer overflow (CVE-ID: CVE-2025-1933)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error on 64-bit CPUs, when the JIT compiles WASM i32 return values they can pick up bits from left over memory. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
57) Resource management error (CVE-ID: CVE-2025-1934)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. A remote attacker interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it.
58) Improper Restriction of Rendered UI Layers or Frames (CVE-ID: CVE-2025-1935)
The vulnerability allows a remote attacker to perform clickjacking attack.
The vulnerability exists due to the way the registerProtocolHandler info-bar handles events. A remote attacker can trick the victim into setting a malicious site as the default handler for a custom URL protocol.
59) Input validation error (CVE-ID: CVE-2025-1936)
The vulnerability allows a remote attacker to bypass security restrictions.
The vulnerability exists due to insufficient validation of a null-byte character (e.g. %00) in the filename when retrieving local file content packaged in a ZIP archive via jar: URLs. The null and everything after it is ignored when retrieving the content from the archive, but the fake extension after the null is used to determine the type of content. A remote attacker can hide code in a web extension disguised as a safe file, such as an image.
60) Buffer overflow (CVE-ID: CVE-2025-1937)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim into visiting a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
61) Buffer overflow (CVE-ID: CVE-2025-1938)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
62) Cryptographic issues (CVE-ID: CVE-2025-26695)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to usage of incorrect padding when downloading OpenPGP key from a WKD server. A remote attacker on the local network can learn the length of the requested email address.
63) Improper locking (CVE-ID: CVE-2025-2817)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper locking mechanism in Firefox Updater. A medium-integrity user process can interfere with the SYSTEM-level updater by manipulating the file-locking behavior by injecting code into the user-privileged process. A local user or malicious software installed on the system can bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation.
64) Information disclosure (CVE-ID: CVE-2025-2830)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error when handling attachment in a multipart
message. A remote attacker can trick the victim into forwarding a specially crafted email and force Thunderbird to include in the message a
directory listing of /tmp.
65) Use-after-free (CVE-ID: CVE-2025-3028)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in XSLTProcessor. A remote attacker can trick the victim into visiting a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
66) Spoofing attack (CVE-ID: CVE-2025-3029)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of non-BMP unicode characters. A remote attacker can use a specially crafted URL to spoof the URL bar in the browser.
67) Buffer overflow (CVE-ID: CVE-2025-3030)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
68) Information disclosure (CVE-ID: CVE-2025-3522)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a missing URL validation when processing the X-Mozilla-External-Attachment-URL header to handle externally hosted attachments. A remote attacker can send a specially crafted email to the victim that contains a link with an internally referenced document, such as "chrome://" or "chrome://" and force Thunderbird to share hashed Windows credentials with that URL, leading to information disclosure.
69) Spoofing attack (CVE-ID: CVE-2025-3523)
The vulnerability allows a remote attacker to perform spoofing attack.
When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources.
70) Input validation error (CVE-ID: CVE-2025-3875)
The vulnerability allows a remote attacker to perform a spoofing attack
The vulnerability exists due to insufficient validation of email addresses. A remote attacker can spoof the sender email address via a specially crafted "From" field in the email..
71) Input validation error (CVE-ID: CVE-2025-3909)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to incorrect handling of the X-Mozilla-External-Attachment-URL header. A remote attacker can create a nested email attachment, set its content type to application/pdf and force the application to execute arbitrary JavaScript code in the file:/// context.
72) Information disclosure (CVE-ID: CVE-2025-3932)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrect handling of tracking links. A remote attacker can create a specially crafted email message that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link.
73) Protection Mechanism Failure (CVE-ID: CVE-2025-4083)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient process isolation when handling "javascript:" URI links. An attacker can trick the victim into clicking on a specially crafted link and execute content in the top-level document's process instead of the intended frame.
74) Out-of-bounds read (CVE-ID: CVE-2025-4087)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a boundary condition when parsing XPath content. A remote attacker can trick the victim into visiting a specially crafted website, trigger an out-of-bounds read error and execute arbitrary code on the system.
75) Buffer overflow (CVE-ID: CVE-2025-4091)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
76) Buffer overflow (CVE-ID: CVE-2025-4093)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
77) Out-of-bounds write (CVE-ID: CVE-2025-4920)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing JavaScript "Promise" object. A remote attacker can trick the victim into visiting a specially crafted website, trigger an out-of-bounds write and execute arbitrary code on the target system.
78) Out-of-bounds write (CVE-ID: CVE-2025-4921)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when manipulating a JavaScript object by confusing array index sizes. A remote attacker can trick the victim into visiting a specially crafted website, trigger an out-of-bounds write and execute arbitrary code on the target system.
79) Improper error handling (CVE-ID: CVE-2025-5263)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to error handling for script execution is not correctly isolated from the web content. A remote attacker can trick the victim into opening a specially crafted website and obtain certain information cross-origin.
80) Input validation error (CVE-ID: CVE-2025-5264)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input within the "Copy as cURL" feature. A remote attacker can trick the victim into copying a specially crafted URL, trick the victim into using this command and execute arbitrary commands on the system.
81) Input validation error (CVE-ID: CVE-2025-5265)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input within the "Copy as cURL" feature. A remote attacker can trick the victim into copying a specially crafted URL, trick the victim into using this command and execute arbitrary commands on the system.
The vulnerability affects Windows installations only.
82) Information disclosure (CVE-ID: CVE-2025-5266)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to script elements loading cross-origin resources generated load and error
events, which leaked information. A remote attacker can gain access to sensitive information.
83) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2025-5267)
The vulnerability allows a remote attacker to perform clickjacking attacks.
The vulnerability exists due to an error in the UI that can lead to information disclosure. A remote attacker can perform a clickjacking attack and trick a user into leaking saved payment card details to a malicious page.
84) Buffer overflow (CVE-ID: CVE-2025-5268)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
85) Buffer overflow (CVE-ID: CVE-2025-5269)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
86) Input validation error (CVE-ID: CVE-2025-5986)
The vulnerability allows a remote attacker to gain access to sensitive information or perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling mailbox:/// links. A remote attacker can create a specially crafted email mailbox:/// links and trigger unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. Additionally, this behavior can be use to leak Windows credentials via SMB links when the email is viewed in HTML mode.
Note, viewing the email in HTML mode is enough to load external content.
87) Spoofing attack (CVE-ID: CVE-2024-49040)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can spoof content of email messages in the Microsoft Exchange client interface.
Remediation
Install update from vendor's website.