SB20260507301 - SUSE update for MozillaThunderbird
Published: May 7, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 29 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2026-6746)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in the DOM: Core & HTML component when rendering crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
User interaction is required to visit a crafted website or URL.
2) Use-after-free (CVE-ID: CVE-2026-6747)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in the WebRTC component when handling crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
User interaction is required to visit a specially crafted website or URL.
3) Use of uninitialized resource (CVE-ID: CVE-2026-6748)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to uninitialized memory in the Audio/Video: Web Codecs component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
User interaction is required to visit a specially crafted website or URL.
4) Use of uninitialized resource (CVE-ID: CVE-2026-6749)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to uninitialized memory in the Graphics: Canvas2D component when rendering crafted web content. A remote attacker can cause the browser to process specially crafted content to disclose sensitive information.
User interaction is required to visit a crafted website or URL.
5) Improper access control (CVE-ID: CVE-2026-6750)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to improper access control in the Graphics: WebRender component when rendering crafted web content. A remote attacker can cause the browser to process specially crafted content to escalate privileges.
User interaction is required to visit a crafted website or URL.
6) Use of uninitialized resource (CVE-ID: CVE-2026-6751)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to uninitialized memory in the Audio/Video: Web Codecs component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
7) Out-of-bounds read (CVE-ID: CVE-2026-6752)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the WebRTC component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a crafted website or URL.
8) Buffer overflow (CVE-ID: CVE-2026-6753)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the WebRTC component when handling crafted web content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
9) Use-after-free (CVE-ID: CVE-2026-6754)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to use-after-free in the JavaScript Engine component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
User interaction is required to visit a crafted website or URL.
10) NULL pointer dereference (CVE-ID: CVE-2026-6757)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to invalid pointer usage in the JavaScript: WebAssembly component when processing crafted WebAssembly content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
11) Use-after-free (CVE-ID: CVE-2026-6759)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the Widget: Cocoa component when handling local widget operations. A local user can trigger the vulnerable code path to cause a denial of service.
12) Improper access control (CVE-ID: CVE-2026-6761)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to improper access control in the Networking component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to escalate privileges.
User interaction is required to visit a specially crafted website or URL.
13) Input validation error (CVE-ID: CVE-2026-6762)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to spoof the user interface.
The vulnerability exists due to improper input validation in the DOM: Core & HTML component when rendering crafted web content. A remote attacker can cause the browser to process specially crafted content to spoof the user interface.
User interaction is required to visit a crafted website or URL.
14) Protection Mechanism Failure (CVE-ID: CVE-2026-6763)
CWE-ID: CWE-693 - Protection Mechanism Failure
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass a security restriction.
The vulnerability exists due to improper restriction enforcement in the File Handling component when processing crafted file handling operations. A remote attacker can trigger the vulnerable behavior to bypass a security restriction.
15) Buffer overflow (CVE-ID: CVE-2026-6764)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the DOM: Device Interfaces component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
16) Information disclosure (CVE-ID: CVE-2026-6765)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the Form Autofill component when handling autofill data in crafted web content. A remote attacker can cause the browser to expose autofill-related information to disclose sensitive information.
User interaction is required to visit a specially crafted website or URL.
17) Buffer overflow (CVE-ID: CVE-2026-6766)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the Libraries component in NSS when parsing crafted input. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
18) Input validation error (CVE-ID: CVE-2026-6767)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an unspecified flaw in the Libraries component in NSS when processing crafted input. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a crafted website or URL.
19) Improper access control (CVE-ID: CVE-2026-6769)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to improper access control in the Debugger component when processing crafted web content. A remote attacker can trigger the vulnerable behavior to escalate privileges.
User interaction is required to visit a specially crafted website or URL.
20) Input validation error (CVE-ID: CVE-2026-6770)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input handling in the Storage: IndexedDB component when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
21) Protection Mechanism Failure (CVE-ID: CVE-2026-6771)
CWE-ID: CWE-693 - Protection Mechanism Failure
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass a security restriction.
The vulnerability exists due to improper restriction enforcement in the DOM: Security component when processing crafted web content. A remote attacker can trigger the vulnerable behavior to bypass a security restriction.
User interaction is required to visit a specially crafted website or URL.
22) Out-of-bounds read (CVE-ID: CVE-2026-6772)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the Libraries component in NSS when processing crafted input. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a crafted website or URL.
23) Buffer overflow (CVE-ID: CVE-2026-6776)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect boundary conditions in the WebRTC: Networking component when handling crafted web content. A remote attacker can cause the browser to process specially crafted content to cause a denial of service.
User interaction is required to visit a specially crafted website or URL.
24) Buffer overflow (CVE-ID: CVE-2026-6785)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to memory corruption in multiple components when rendering crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
The advisory states that some of the underlying bugs showed evidence of memory corruption.
25) Buffer overflow (CVE-ID: CVE-2026-6786)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to memory corruption in multiple browser components when processing crafted web content. A remote attacker can cause the browser to process specially crafted content to execute arbitrary code.
Some of the bugs showed evidence of memory corruption.
26) Out-of-bounds read (CVE-ID: CVE-2026-7320)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to incorrect boundary conditions in the Audio/Video component when processing media content. A remote attacker can cause the browser to process specially crafted media content to disclose sensitive information.
27) Input validation error (CVE-ID: CVE-2026-7321)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to escape the sandbox.
The vulnerability exists due to incorrect boundary conditions in the WebRTC: Networking component when handling WebRTC network traffic. A remote attacker can trigger specially crafted WebRTC network interactions to escape the sandbox.
User interaction is required to visit a specially crafted website or URL.
28) Buffer overflow (CVE-ID: CVE-2026-7322)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to memory corruption when processing crafted web content. A remote attacker can trigger memory safety bugs to execute arbitrary code.
29) Buffer overflow (CVE-ID: CVE-2026-7323)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to memory corruption when rendering web content. A remote attacker can trigger memory corruption using specially crafted web content to execute arbitrary code.
Remediation
Install update from vendor's website.