Mozilla Foundation Security Advisory 2026-11

Security Vulnerabilities fixed in Thunderbird 147.0.2 and 140.7.2

Announced

February 16, 2026

Impact

high

Products

Thunderbird

Fixed in

Thunderbird 140.7.2
Thunderbird 147.0.2

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

#CVE-2026-2447: Heap buffer overflow in libvpx

Reporter: jayjayjazz
Impact: high

References

Bug 2014390

Firefox browsers

Mozilla VPN

Mozilla Monitor

Firefox Relay

MDN Plus

Thunderbird

Solo

0DIN

About Mozilla

The Mozilla Manifesto

Get Involved

Blog

Mozilla Foundation

Mozilla.ai

Mozilla Ventures

Mozilla Advertising

Mozilla Builders

Mozilla New Products

Mozilla Foundation Security Advisory 2026-11

Security Vulnerabilities fixed in Thunderbird 147.0.2 and 140.7.2

#CVE-2026-2447: Heap buffer overflow in libvpx

References