Skip to main content

Thunderbird CVE-2026-4371

| EUVDEUVD-2026-15023 HIGH
Buffer Over-read (CWE-126)
2026-03-24 mozilla GHSA-4p49-pghr-968w
7.4
CVSS 3.1 · Vendor: mozilla
Share

Severity by source

Vendor (mozilla) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
8.2 HIGH
qualitative

Primary rating from Vendor (mozilla).

CVSS VectorVendor: mozilla

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:17 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
149,140.9
EUVD ID Assigned
Mar 24, 2026 - 20:31 euvd
EUVD-2026-15023
Analysis Generated
Mar 24, 2026 - 20:31 vuln.today
CVE Published
Mar 24, 2026 - 20:27 nvd
HIGH 7.4

DescriptionCVE.org

A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction, potentially crashing Thunderbird or leaking sensitive data. This vulnerability affects Thunderbird < 149 and Thunderbird < 140.9.

AnalysisAI

Thunderbird's mail parser fails to validate string length parameters, allowing a compromised mail server to trigger out-of-bounds memory reads through malformed email content. Affected users running versions prior to 149 and 140.9 could experience application crashes or disclosure of sensitive data from process memory. The vulnerability requires network access but no user interaction, though no patch is currently available.

Technical ContextAI

The vulnerability exists in Thunderbird's email message parsing logic, specifically in how the mail parser processes string length fields within MIME or protocol-level message structures. When a malicious server sends a message with a negative length value in a string field, the parser fails to properly validate the length before performing memory read operations. This is a classic buffer over-read vulnerability (related to CWE-125: Out-of-bounds Read) where inadequate bounds checking on user-controlled length values allows reading beyond the intended buffer boundary. The affected products are identified via CPE as mozilla:thunderbird across all platforms. The vulnerability stems from insufficient input validation in the mail protocol parser, which does not sanitize or range-check length fields before using them in memory access operations.

RemediationAI

Immediately upgrade Mozilla Thunderbird to version 149 or later, or to version 140.9 or later if using the extended support release branch. Users should apply patches via the built-in update mechanism or download the latest version from https://www.mozilla.org/en-US/thunderbird/. Until patching is complete, users handling sensitive communications should consider temporarily disabling automatic mail fetching, using a separate mail client in a sandboxed environment, or restricting access to trusted mail servers only. Administrators should prioritize Thunderbird security updates in their patch management process and encourage users to enable automatic updates. Review the detailed Mozilla security advisories at https://www.mozilla.org/security/advisories/mfsa2026-23/ and https://www.mozilla.org/security/advisories/mfsa2026-24/ for platform-specific instructions.

CVE-2013-0758 CRITICAL POC
9.3 Jan 13

Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb

CVE-2013-0753 CRITICAL POC
9.3 Jan 13

Use-after-free vulnerability in the serializeToStream implementation in the XMLSerializer component in Mozilla Firefox b

CVE-2012-3993 CRITICAL POC
9.3 Oct 10

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi

CVE-2013-1710 CRITICAL POC
10.0 Aug 07

The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird befo

CVE-2013-0757 CRITICAL POC
9.3 Jan 13

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi

CVE-2014-1510 CRITICAL POC
9.8 Mar 19

The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se

CVE-2014-1511 CRITICAL POC
9.8 Mar 19

Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remo

CVE-2016-1960 HIGH POC
8.8 Mar 13

Integer underflow in the nsHtml5TreeBuilder class in the HTML5 string parser in Mozilla Firefox before 45.0 and Firefox

CVE-2015-0816 MEDIUM POC
5.0 Apr 01

Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource

CVE-2013-2566 MEDIUM POC
5.9 Mar 15

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for

CVE-2024-4367 HIGH POC
8.8 May 14

Arbitrary JavaScript execution in Mozilla's PDF.js library affects Firefox before 126, Firefox ESR before 115.11, and Th

CVE-2012-4188 CRITICAL
9.3 Oct 10

Heap-based buffer overflow in the Convolve3x3 function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, T

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Liberty Linux 10 Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Linux Enterprise Workstation Extension 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed

Share

CVE-2026-4371 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy