Thunderbird

Thunderbird's mail parser fails to validate string length parameters, allowing a compromised mail server to trigger out-of-bounds memory reads through malformed email content. Affected users running versions prior to 149 and 140.9 could experience application crashes or disclosure of sensitive data from process memory. The vulnerability requires network access but no user interaction, though no patch is currently available.

A spoofing vulnerability exists in Mozilla Thunderbird that affects versions below 149 and below 140.9, allowing attackers to spoof email sources or identities. This vulnerability is classified as an information disclosure issue that could compromise email authentication and user trust. While specific CVSS and EPSS metrics are unavailable, the vulnerability warrants prompt patching as Mozilla has issued security advisories indicating active remediation efforts.

Multiple memory safety bugs affecting Firefox, Firefox ESR, and Thunderbird browsers present a critical remote code execution risk through memory corruption vulnerabilities. The affected versions include Firefox below 149, Firefox ESR below 115.34 and 140.9, Thunderbird ESR 140.8, Firefox 148, and Thunderbird 148. These memory safety issues demonstrate evidence of exploitable memory corruption that could allow attackers to execute arbitrary code on affected systems, though no public exploit or active KEV confirmation is currently documented.

Multiple memory safety bugs in Firefox 148 and Thunderbird 148 allow attackers to trigger memory corruption with potential for arbitrary code execution. Firefox versions prior to 149 are vulnerable, as confirmed by Mozilla security advisories. The vulnerability requires no user interaction beyond normal browsing and represents a critical elevation risk due to the presume-exploitable nature of the underlying memory corruption issues.

Multiple memory safety bugs affecting Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR allow remote attackers to achieve arbitrary code execution through memory corruption vulnerabilities. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are confirmed affected, with evidence suggesting these memory corruption issues could be exploited under sufficient effort. The vulnerability class encompasses buffer overflow and memory safety defects that demonstrate exploitation potential, though no active public exploitation has been documented at this time.

Memory safety bugs in Firefox 147 and Thunderbird 147 with evidence of memory corruption. Mainline-only bugs not present in ESR branches.

Uninitialized memory read in Firefox Graphics Text component before 148. Text rendering may expose uninitialized memory contents.

Invalid pointer in Firefox DOM Core & HTML before 148. Incorrect pointer computation leads to memory access errors.

A use-after-free vulnerability in Firefox and Thunderbird's JavaScript WebAssembly engine allows remote attackers to achieve information disclosure or data manipulation through a malicious webpage or email attachment that requires user interaction. Affected versions include Firefox below 148 and Thunderbird below 148, with no patch currently available. The vulnerability has a network attack vector with low complexity and carries a CVSS score of 5.4.

The Settings UI component in Firefox and Thunderbird versions prior to 148 fails to properly restrict access to sensitive configuration data, enabling unauthenticated attackers to remotely disclose confidential information without user interaction. This vulnerability bypasses existing security mitigations designed to protect user settings and preferences. No patch is currently available for affected users.

Firefox and Thunderbird versions below 148 contain a race condition in the JavaScript garbage collection component that could allow an attacker to access or modify limited data through specially crafted content requiring user interaction. The vulnerability has a CVSS score of 4.2 and currently lacks an available patch.

Improper boundary condition handling in the JavaScript/WebAssembly engine of Firefox and Thunderbird before version 148 enables remote denial of service attacks without requiring user interaction or privileges. An attacker can crash affected applications or cause service unavailability by sending specially crafted content. No patch is currently available.

Spoofing in Firefox for Android WebAuthn component before 148. Allows phishing attacks through WebAuthn UI manipulation.

Use-after-free in Firefox DOM Core & HTML before 148. DOM object lifecycle error.

A use-after-free vulnerability in Firefox and Thunderbird's DOM processing allows remote attackers to execute arbitrary code through a malicious webpage or email attachment, requiring only user interaction to trigger. This affects Firefox versions below 148 and Thunderbird versions below 148, with no patch currently available.

Use-after-free in Firefox JavaScript GC before 148. Second GC UAF, different from CVE-2026-2795.

JIT miscompilation in Firefox WebAssembly before 148. The JIT compiler generates incorrect Wasm code, enabling type confusion. PoC available.

Use-after-free in Firefox JavaScript GC component before 148. GC-specific UAF affecting only mainline Firefox and Thunderbird.

Memory safety bugs in Firefox ESR 115.32, ESR 140.7, and Firefox 147. Broader set of memory corruption issues than CVE-2026-2792.

Memory safety bugs in Firefox ESR 140.7 and Firefox 147 with evidence of memory corruption and potential code execution exploitability.

Cache-based mitigation bypass in Firefox Networking before 148. Caching mechanism can be exploited to bypass security mitigations.

Same-origin policy bypass in Firefox Networking JAR component before 148. Allows cross-origin data access through JAR protocol handling.

Use-after-free in Firefox ImageLib graphics component before 148. Image processing triggers use of freed memory.

Boundary error in Firefox Audio/Video GMP (Gecko Media Plugins) component before 148. Media plugin processing triggers memory corruption.

Use-after-free in Firefox DOM Window and Location component before 148. Window/Location lifecycle management error.

Use-after-free in Firefox JavaScript Engine before 148. Fourth distinct JS engine UAF in this release.

Invalid pointer in Firefox JavaScript Engine before 148. Incorrect pointer computation leads to memory corruption.

DOM Security mitigation bypass in Firefox before 148. Security mechanisms protecting DOM operations can be circumvented.

Unauthenticated attackers can extract sensitive information from Firefox and Thunderbird users through a JavaScript engine JIT compilation flaw, affecting all versions prior to Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. The vulnerability requires no user interaction and can be exploited remotely over the network. No patch is currently available for this high-severity flaw.

Privilege escalation in Firefox Netmonitor component before 148. Second Netmonitor privilege escalation, separate from CVE-2026-2780.

Integer overflow in Firefox NSS (Network Security Services) Libraries component before 148. Overflow in the cryptographic library could affect TLS and certificate operations.

Privilege escalation in Firefox Netmonitor component before 148. Developer tools component allows escalation from content to higher privileges.

Boundary error in Firefox Networking JAR component before 148. Processing JAR (Java Archive) content triggers memory corruption.

Sandbox escape via DOM Core & HTML component in Firefox before 148. CVSS 10.0 — fifth sandbox escape in this release.

Privilege escalation in Firefox Messaging System component before 148. The inter-process messaging system allows escalation from content to privileged process.

Sandbox escape via Telemetry component in Firefox external software before 148. CVSS 10.0 — fourth sandbox escape in this release, through the telemetry subsystem.

HTML parser mitigation bypass in Firefox DOM before 148. Bypasses content sanitization protections via alternate authentication path in the HTML parser.

Integer overflow in Firefox Audio/Video component before 148. Overflow in media processing leads to incorrect memory allocations.

Boundary error in Firefox Web Audio component before 148. Crafted audio processing triggers memory corruption.

Use-after-free in Firefox Audio/Video Playback component before 148. Media playback triggers memory corruption.

Undefined behavior in Firefox DOM Core & HTML component before 148. Can lead to memory corruption and potential code execution.

Use-after-free in Firefox DOM Bindings (WebIDL) component before 148. Memory corruption in the interface between JavaScript and native DOM objects.

A use-after-free vulnerability in the IndexedDB storage component of Firefox and Thunderbird allows remote attackers to achieve arbitrary code execution through user interaction. Affected versions include Firefox below 148, Firefox ESR below 115.33 and 140.8, and Thunderbird below 148 and 140.8. No patch is currently available for this high-severity flaw.

Sandbox escape via IndexedDB in Firefox before 148 and Thunderbird. CVSS 10.0 — the Storage: IndexedDB component allows escaping the content process sandbox.

Use-after-free in Firefox JavaScript WebAssembly component before 148. WebAssembly-specific memory management bug.

Use-after-free in Firefox JavaScript JIT compiler before 148. Second JIT-related UAF in this release, different from CVE-2026-2764.

Use-after-free in Firefox JavaScript Engine before 148 and Thunderbird ESR 140.8. Separate UAF from CVE-2026-2763 and CVE-2026-2758.

JIT miscompilation causing use-after-free in Firefox JavaScript JIT compiler before 148. JIT bugs are highly exploitable due to their deterministic nature.

Use-after-free in Firefox JavaScript Engine before 148. One of multiple JS engine UAFs fixed in this release.

Integer overflow in Firefox JavaScript Standard Library before 148 leads to memory corruption through crafted JavaScript operations.

Second sandbox escape in Firefox WebRender component. CVSS 10.0 — independent path from CVE-2026-2760 to escape the content process sandbox.

Sandbox escape via boundary violation in Firefox WebRender graphics component. CVSS 10.0 — allows escaping the content sandbox to execute code with elevated privileges.

Boundary violation in Firefox ImageLib graphics component before 148 enables memory corruption through crafted images.

Use-after-free in Firefox JavaScript garbage collector before 148 allows remote code execution through crafted JavaScript.

Boundary violation in Firefox WebRTC Audio/Video component before 148 allows remote code execution through crafted WebRTC media streams.

Heap buffer overflow in libvpx affects Firefox and Thunderbird across multiple versions, enabling remote code execution when a user interacts with malicious content. An unauthenticated attacker can exploit this vulnerability over the network without special privileges to achieve complete system compromise including data theft and integrity violations. No patch is currently available, making this a critical risk for affected users.

Thunderbird's inline OpenPGP message decryption can leak secret email contents through CSS style injection when remote content loading is enabled, allowing attackers to extract decrypted plaintext via crafted email formatting. This affects Thunderbird versions before 147.0.1 and 140.7.1, requiring user interaction to trigger the vulnerability. No patch is currently available.

Firefox 146 and Thunderbird 146 contain memory safety bugs with evidence of memory corruption that could potentially be exploited for code execution.

Arbitrary code execution in Firefox and Thunderbird versions prior to 147/140.7 results from memory corruption vulnerabilities that could allow remote attackers to execute malicious code with no user interaction required. Multiple memory safety flaws across Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146, and Thunderbird 146 create conditions for potential exploitation despite no patch currently being available. The high CVSS score of 8.1 reflects the critical nature of achieving full system compromise through network-based attack vectors.

DOM spoofing in Mozilla Firefox and Thunderbird's copy, paste, and drag-and-drop functionality allows unauthenticated attackers to deceive users into performing unintended actions through crafted content. The vulnerability affects Firefox versions below 147 and ESR versions below 140.7, as well as Thunderbird versions below 147 and 140.7, requiring user interaction to exploit. No patch is currently available.

Service Workers in Mozilla Firefox and Thunderbird versions below 147 are vulnerable to remote denial-of-service attacks that require no user interaction or authentication. An unauthenticated attacker can crash affected applications over the network, and public exploit code exists for this vulnerability. Currently no patch is available for remediation.

Firefox and Thunderbird versions before 147 contain an information disclosure vulnerability in their XML processing component that allows unauthenticated attackers to access sensitive data over the network with minimal attack complexity. The vulnerability requires no user interaction and affects the confidentiality of information without impacting system integrity or availability. No security patch is currently available.

The PDF Viewer component in Firefox and Thunderbird is vulnerable to clickjacking attacks that enable information disclosure through UI redressing techniques. Attackers can manipulate user interactions to trick victims into unintentionally revealing sensitive information, affecting Firefox versions below 147, Firefox ESR below 140.7, Thunderbird below 147, and Thunderbird ESR below 140.7. No patch is currently available for this vulnerability.

Improper boundary validation in the Graphics component of Firefox, Firefox ESR, and Thunderbird allows unauthenticated remote attackers to cause limited information disclosure over the network without user interaction. Affected versions include Firefox before 147, Firefox ESR before 115.32 and 140.7, and Thunderbird before 147 and 140.7. No patch is currently available for this medium-severity vulnerability.

Memory corruption in Firefox and Thunderbird's JavaScript garbage collection engine allows remote attackers to crash the application or potentially leak sensitive information without user interaction. The vulnerability affects Firefox versions below 147, Firefox ESR below 140.7, Thunderbird below 147, and Thunderbird ESR below 140.7, with no patch currently available.

Firefox JavaScript engine has a use-after-free vulnerability. Affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147 and < 140.7.

The Networking component in Firefox and Thunderbird discloses sensitive information to unauthenticated remote attackers over the network. Affected versions include Firefox below 147, Firefox ESR below 140.7, Thunderbird below 147, and Thunderbird ESR below 140.7. No patch is currently available to remediate this vulnerability.

A use-after-free vulnerability in the IPC component of Firefox (versions below 147 and ESR versions below 115.32/140.7) and Thunderbird (versions below 147 and 140.7) enables remote code execution when users interact with malicious content. The flaw requires user interaction and network access, allowing attackers to achieve full system compromise with high integrity and confidentiality impact. No patch is currently available for this vulnerability.

Firefox Messaging System component has a sandbox escape vulnerability. Maximum CVSS 10.0 with scope change. Affects Firefox < 147 and Thunderbird < 147.

Integer overflow in Firefox and Thunderbird's Graphics component enables sandbox escape, allowing remote attackers to execute arbitrary code with high privileges through a malicious webpage or content requiring user interaction. Affected versions include Firefox below 147, Firefox ESR below 115.32 and 140.7, and Thunderbird below 147 and 140.7. No patch is currently available.

Firefox sandbox escape via incorrect boundary conditions in the Graphics component. Affects Firefox < 147, Firefox ESR < 115.32 and < 140.7, Thunderbird < 147 and < 140.7.

Incorrect boundary condition validation in Firefox and Thunderbird's WebGL graphics component allows attackers to escape the sandbox and potentially execute arbitrary code through a crafted web page or malicious content. The vulnerability affects Firefox versions below 147, Firefox ESR below 140.7, Thunderbird below 147, and Thunderbird ESR below 140.7, and requires user interaction to exploit. No patch is currently available.

DOM security bypass in Firefox and Thunderbird allows remote attackers to circumvent protective mitigations through user interaction, affecting multiple versions across both products. An attacker can exploit this to achieve high-impact compromise of confidentiality and integrity without requiring authentication. Currently no patch is available for affected users.

Memory safety bugs present in Firefox 144 and Thunderbird 144. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Incorrect boundary conditions in the Graphics: WebGPU component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

JIT miscompilation in the JavaScript Engine: JIT component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Incorrect boundary conditions in the Graphics: WebGPU component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Incorrect boundary conditions in the Graphics: WebGPU component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Use-after-free in the WebRTC: Audio/Video component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Same-origin policy bypass in the DOM: Workers component. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mitigation bypass in the DOM: Security component. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Same-origin policy bypass in the DOM: Notifications component. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Incorrect boundary conditions in the JavaScript: WebAssembly component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Spoofing issue in Firefox. Rated low severity (CVSS 3.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use-after-free in the Audio/Video component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mitigation bypass in the DOM: Core & HTML component. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race condition in the Graphics component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.