Mozilla Foundation Security Advisory 2026-05

Security Vulnerabilities fixed in Thunderbird 140.7

Announced

January 13, 2026

Impact

high

Products

Thunderbird

Fixed in

Thunderbird 140.7

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

#CVE-2026-0877: Mitigation bypass in the DOM: Security component

Reporter: mingijung
Impact: high

References

Bug 1999257

#CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component

Reporter: Oskar L
Impact: high

References

Bug 2003989

#CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component

Reporter: Oskar L
Impact: high

References

Bug 2004602

#CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component

Reporter: Oskar L
Impact: high

References

Bug 2005014

#CVE-2026-0882: Use-after-free in the IPC component

Reporter: Randell Jesup
Impact: high

References

Bug 1924125

#CVE-2025-14327: Spoofing issue in the Downloads Panel component

Reporter: Caro Kann
Impact: moderate

References

Bug 1970743

#CVE-2026-0883: Information disclosure in the Networking component

Reporter: Vladislav Plyatsok
Impact: moderate

References

Bug 1989340

#CVE-2026-0884: Use-after-free in the JavaScript Engine component

Reporter: Gary Kwong and Nan Wang
Impact: moderate

References

Bug 2003588

#CVE-2026-0885: Use-after-free in the JavaScript: GC component

Reporter: Irvan Kurniawan
Impact: moderate

References

Bug 2003607

#CVE-2026-0886: Incorrect boundary conditions in the Graphics component

Reporter: Oskar L
Impact: moderate

References

Bug 2005658

#CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component

Reporter: Lyra Rebane
Impact: moderate

References

Bug 2006500

#CVE-2026-0890: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component

Reporter: Edgar Chen
Impact: low

References

Bug 2005081

#CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147

Reporter: Andrew McCreight, Dennis Jackson and the Mozilla Fuzzing Team
Impact: high

Description

Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147

Mozilla VPN

Mozilla Monitor

Firefox Relay

MDN Plus

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Blog