SB20260422180 - Multiple vulnerabilities in Mozilla Thunderbird
Published: April 22, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 40 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2026-6779)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due an unspecified error in the JavaScript Engine component. A remote attacker can bypass implemented security restrictions.
2) Protection Mechanism Failure (CVE-ID: CVE-2026-6771)
The vulnerability allows a remote attacker to bypass a security restriction.
The vulnerability exists due to improper restriction enforcement in the DOM: Security component when processing crafted web content. A remote attacker can trigger the vulnerable behavior to bypass a security restriction.
User interaction is required to visit a specially crafted website or URL.
3) Out-of-bounds read (CVE-ID: CVE-2026-6772)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the Libraries component in NSS when processing crafted input. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a crafted website or URL.
4) Integer overflow (CVE-ID: CVE-2026-6773)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer overflow in the Graphics: WebGPU component when processing graphics operations. A remote attacker can supply crafted input to cause a denial of service.
5) Protection Mechanism Failure (CVE-ID: CVE-2026-6774)
The vulnerability allows a remote attacker to bypass a security restriction.
The vulnerability exists due to a mitigation bypass in the DOM: Security component when enforcing security restrictions. A remote attacker can craft content to bypass a security restriction.
6) Buffer overflow (CVE-ID: CVE-2026-6775)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the WebRTC component when processing WebRTC content. A remote attacker can send crafted content to cause a denial of service.
7) Buffer overflow (CVE-ID: CVE-2026-6776)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the WebRTC: Networking component when handling crafted web content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
8) Input validation error (CVE-ID: CVE-2026-6777)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an unspecified error in the Networking: DNS component. A remote attacker can bypass implemented security restrictions.
9) NULL pointer dereference (CVE-ID: CVE-2026-6778)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an invalid pointer dereference in the Audio/Video: Playback component when processing media playback. A remote attacker can supply crafted media to cause a denial of service.
10) Input validation error (CVE-ID: CVE-2026-6780)
The vulnerability allows a remote attacker to crash the browser.
The vulnerability exists due an unspecified error in the Audio/Video: Playback component. A remote attacker can trick the victim into visiting a specially crafted web page and crash the browser.
11) Improper access control (CVE-ID: CVE-2026-6769)
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to improper access control in the Debugger component when processing crafted web content. A remote attacker can trigger the vulnerable behavior to escalate privileges.
User interaction is required to visit a specially crafted website or URL.
12) Input validation error (CVE-ID: CVE-2026-6781)
The vulnerability allows a remote attacker to crash the browser.
The vulnerability exists due an unspecified error in the Audio/Video: Playback component. A remote attacker can trick the victim into visiting a specially crafted web page and crash the browser.
13) Information disclosure (CVE-ID: CVE-2026-6782)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the IP Protection component when handling IP protection functionality. A remote attacker can trigger the flaw to disclose sensitive information.
14) Integer overflow (CVE-ID: CVE-2026-6783)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer overflow in the Audio/Video: Playback component when processing media playback. A remote attacker can supply crafted media to cause a denial of service.
15) Buffer overflow (CVE-ID: CVE-2026-6784)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to memory corruption in multiple components when processing web content. A remote attacker can trigger memory corruption to execute arbitrary code.
Some of these bugs showed evidence of memory corruption.
16) Buffer overflow (CVE-ID: CVE-2026-6785)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to memory corruption in multiple components when rendering crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
The advisory states that some of the underlying bugs showed evidence of memory corruption.
17) Buffer overflow (CVE-ID: CVE-2026-6786)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to memory corruption in multiple browser components when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
Some of the bugs showed evidence of memory corruption.
18) Input validation error (CVE-ID: CVE-2026-6770)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input handling in the Storage: IndexedDB component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
19) Protection Mechanism Failure (CVE-ID: CVE-2026-6768)
The vulnerability allows a remote attacker to bypass a security restriction.
The vulnerability exists due to a mitigation bypass in the Networking: Cookies component when handling cookies. A remote attacker can craft input to bypass a security restriction.
20) Use-after-free (CVE-ID: CVE-2026-6746)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in the DOM: Core & HTML component when rendering crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
User interaction is required to visit a crafted website or URL.
21) Protection Mechanism Failure (CVE-ID: CVE-2026-6755)
The vulnerability allows a remote attacker to bypass a security restriction.
The vulnerability exists due to a mitigation bypass in the DOM: postMessage component when handling postMessage operations. A remote attacker can craft content to bypass a security restriction.
22) Use-after-free (CVE-ID: CVE-2026-6747)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in the WebRTC component when handling crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
User interaction is required to visit a specially crafted website or URL.
23) Use of uninitialized resource (CVE-ID: CVE-2026-6748)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to uninitialized memory in the Audio/Video: Web Codecs component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
User interaction is required to visit a specially crafted website or URL.
24) Use of uninitialized resource (CVE-ID: CVE-2026-6749)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to uninitialized memory in the Graphics: Canvas2D component when rendering crafted web content. A remote attacker can cause the browser to process specially crafted content to disclose sensitive information.
User interaction is required to visit a crafted website or URL.
25) Improper access control (CVE-ID: CVE-2026-6750)
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to improper access control in the Graphics: WebRender component when rendering crafted web content. A remote attacker can cause the browser to process specially crafted content to escalate privileges.
User interaction is required to visit a crafted website or URL.
26) Use of uninitialized resource (CVE-ID: CVE-2026-6751)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to uninitialized memory in the Audio/Video: Web Codecs component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
27) Out-of-bounds read (CVE-ID: CVE-2026-6752)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the WebRTC component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a crafted website or URL.
28) Buffer overflow (CVE-ID: CVE-2026-6753)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the WebRTC component when handling crafted web content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
29) Use-after-free (CVE-ID: CVE-2026-6754)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in the JavaScript Engine component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
User interaction is required to visit a crafted website or URL.
30) NULL pointer dereference (CVE-ID: CVE-2026-6757)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to invalid pointer usage in the JavaScript: WebAssembly component when processing crafted WebAssembly content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
31) Input validation error (CVE-ID: CVE-2026-6767)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an unspecified flaw in the Libraries component in NSS when processing crafted input. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a crafted website or URL.
32) Use-after-free (CVE-ID: CVE-2026-6758)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in the JavaScript: WebAssembly component when processing WebAssembly content. A remote attacker can trigger use of a dangling object to cause a denial of service.
33) Use-after-free (CVE-ID: CVE-2026-6759)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the Widget: Cocoa component when handling local widget operations. A local user can trigger the vulnerable code path to cause a denial of service.
34) Protection Mechanism Failure (CVE-ID: CVE-2026-6760)
The vulnerability allows a remote attacker to bypass a security restriction.
The vulnerability exists due to a mitigation bypass in the Networking: Cookies component when handling cookies. A remote attacker can craft input to bypass a security restriction.
35) Improper access control (CVE-ID: CVE-2026-6761)
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to improper access control in the Networking component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to escalate privileges.
User interaction is required to visit a specially crafted website or URL.
36) Input validation error (CVE-ID: CVE-2026-6762)
The vulnerability allows a remote attacker to spoof the user interface.
The vulnerability exists due to improper input validation in the DOM: Core & HTML component when rendering crafted web content. A remote attacker can cause the browser to process specially crafted content to spoof the user interface.
User interaction is required to visit a crafted website or URL.
37) Protection Mechanism Failure (CVE-ID: CVE-2026-6763)
The vulnerability allows a remote attacker to bypass a security restriction.
The vulnerability exists due to improper restriction enforcement in the File Handling component when processing crafted file handling operations. A remote attacker can trigger the vulnerable behavior to bypass a security restriction.
38) Buffer overflow (CVE-ID: CVE-2026-6764)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the DOM: Device Interfaces component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
39) Information disclosure (CVE-ID: CVE-2026-6765)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the Form Autofill component when handling autofill data in crafted web content. A remote attacker can cause the browser to expose autofill-related information to disclose sensitive information.
User interaction is required to visit a specially crafted website or URL.
40) Buffer overflow (CVE-ID: CVE-2026-6766)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the Libraries component in NSS when parsing crafted input. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
Remediation
Install update from vendor's website.