SB2026051199 - Multiple vulnerabilities in Mozilla Thunderbird ESR

Security Bulletin ID SB2026051199

CSH Severity

High

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2026-8090)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to use-after-free in the DOM: Networking component when processing web content. A remote attacker can trigger the use-after-free with specially crafted content to execute arbitrary code.

User interaction is required to visit a specially crafted website or open a specially crafted URL.

2) Input validation error (CVE-ID: CVE-2026-8094)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to an unspecified vulnerability in the WebRTC component. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the system.

3) Buffer overflow (CVE-ID: CVE-2026-8092)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to memory corruption when processing web content. A remote attacker can trigger memory corruption using specially crafted content to execute arbitrary code.

Some of the reported bugs showed evidence of memory corruption.

Remediation

Install update from vendor's website.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2026-44/