SB20260422179 - Multiple vulnerabilities in Mozilla Thunderbird ESR
Published: April 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 25 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2026-6765)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the Form Autofill component when handling autofill data in crafted web content. A remote attacker can cause the browser to expose autofill-related information to disclose sensitive information.
User interaction is required to visit a specially crafted website or URL.
2) Buffer overflow (CVE-ID: CVE-2026-6786)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to memory corruption in multiple browser components when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
Some of the bugs showed evidence of memory corruption.
3) Buffer overflow (CVE-ID: CVE-2026-6785)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to memory corruption in multiple components when rendering crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
The advisory states that some of the underlying bugs showed evidence of memory corruption.
4) Buffer overflow (CVE-ID: CVE-2026-6776)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the WebRTC: Networking component when handling crafted web content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
5) Out-of-bounds read (CVE-ID: CVE-2026-6772)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the Libraries component in NSS when processing crafted input. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a crafted website or URL.
6) Protection Mechanism Failure (CVE-ID: CVE-2026-6771)
The vulnerability allows a remote attacker to bypass a security restriction.
The vulnerability exists due to improper restriction enforcement in the DOM: Security component when processing crafted web content. A remote attacker can trigger the vulnerable behavior to bypass a security restriction.
User interaction is required to visit a specially crafted website or URL.
7) Input validation error (CVE-ID: CVE-2026-6770)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input handling in the Storage: IndexedDB component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
8) Improper access control (CVE-ID: CVE-2026-6769)
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to improper access control in the Debugger component when processing crafted web content. A remote attacker can trigger the vulnerable behavior to escalate privileges.
User interaction is required to visit a specially crafted website or URL.
9) Input validation error (CVE-ID: CVE-2026-6767)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an unspecified flaw in the Libraries component in NSS when processing crafted input. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a crafted website or URL.
10) Buffer overflow (CVE-ID: CVE-2026-6766)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the Libraries component in NSS when parsing crafted input. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
11) Buffer overflow (CVE-ID: CVE-2026-6764)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the DOM: Device Interfaces component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
12) Use-after-free (CVE-ID: CVE-2026-6746)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in the DOM: Core & HTML component when rendering crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
User interaction is required to visit a crafted website or URL.
13) Protection Mechanism Failure (CVE-ID: CVE-2026-6763)
The vulnerability allows a remote attacker to bypass a security restriction.
The vulnerability exists due to improper restriction enforcement in the File Handling component when processing crafted file handling operations. A remote attacker can trigger the vulnerable behavior to bypass a security restriction.
14) Input validation error (CVE-ID: CVE-2026-6762)
The vulnerability allows a remote attacker to spoof the user interface.
The vulnerability exists due to improper input validation in the DOM: Core & HTML component when rendering crafted web content. A remote attacker can cause the browser to process specially crafted content to spoof the user interface.
User interaction is required to visit a crafted website or URL.
15) Improper access control (CVE-ID: CVE-2026-6761)
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to improper access control in the Networking component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to escalate privileges.
User interaction is required to visit a specially crafted website or URL.
16) Use-after-free (CVE-ID: CVE-2026-6759)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the Widget: Cocoa component when handling local widget operations. A local user can trigger the vulnerable code path to cause a denial of service.
17) NULL pointer dereference (CVE-ID: CVE-2026-6757)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to invalid pointer usage in the JavaScript: WebAssembly component when processing crafted WebAssembly content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
18) Use-after-free (CVE-ID: CVE-2026-6754)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in the JavaScript Engine component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
User interaction is required to visit a crafted website or URL.
19) Buffer overflow (CVE-ID: CVE-2026-6753)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the WebRTC component when handling crafted web content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
20) Out-of-bounds read (CVE-ID: CVE-2026-6752)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the WebRTC component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a crafted website or URL.
21) Use of uninitialized resource (CVE-ID: CVE-2026-6751)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to uninitialized memory in the Audio/Video: Web Codecs component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
22) Improper access control (CVE-ID: CVE-2026-6750)
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to improper access control in the Graphics: WebRender component when rendering crafted web content. A remote attacker can cause the browser to process specially crafted content to escalate privileges.
User interaction is required to visit a crafted website or URL.
23) Use of uninitialized resource (CVE-ID: CVE-2026-6749)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to uninitialized memory in the Graphics: Canvas2D component when rendering crafted web content. A remote attacker can cause the browser to process specially crafted content to disclose sensitive information.
User interaction is required to visit a crafted website or URL.
24) Use of uninitialized resource (CVE-ID: CVE-2026-6748)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to uninitialized memory in the Audio/Video: Web Codecs component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
User interaction is required to visit a specially crafted website or URL.
25) Use-after-free (CVE-ID: CVE-2026-6747)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in the WebRTC component when handling crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
User interaction is required to visit a specially crafted website or URL.
Remediation
Install update from vendor's website.