Mozilla Foundation Security Advisory 2026-51
Security Vulnerabilities fixed in Thunderbird 140.11
- Announced
- May 19, 2026
- Impact
- high
- Products
- Thunderbird
- Fixed in
-
- Thunderbird 140.11
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2026-8946: Incorrect boundary conditions in the Audio/Video: Web Codecs component
- Reporter
- zx
- Impact
- high
References
#CVE-2026-8388: Incorrect boundary conditions in the JavaScript Engine: JIT component
- Reporter
- ggwhyp
- Impact
- high
References
#CVE-2026-8947: Use-after-free in the DOM: Bindings (WebIDL) component
- Reporter
- Satoki Tsuji
- Impact
- high
References
#CVE-2026-8391: Other issue in the JavaScript Engine component
- Reporter
- ggwhyp
- Impact
- high
References
#CVE-2026-8401: Sandbox escape in the Profile Backup component
- Reporter
- ggwhyp
- Impact
- high
References
#CVE-2026-8949: Integer overflow in the Widget: Win32 component
- Reporter
- q1
- Impact
- moderate
References
#CVE-2026-8950: Same-origin policy bypass in the Networking: HTTP component
- Reporter
- Jakub Szymsza
- Impact
- moderate
References
#CVE-2026-8953: Sandbox escape due to use-after-free in the Disability Access APIs component
- Reporter
- stevej
- Impact
- moderate
References
#CVE-2026-8954: Incorrect boundary conditions, integer overflow in the Audio/Video component
- Reporter
- Ameen Basha M K
- Impact
- moderate
References
#CVE-2026-8955: Privilege escalation in the DOM: Workers component
- Reporter
- lebr0nli
- Impact
- moderate
References
#CVE-2026-8956: Integer overflow in the Networking: JAR component
- Reporter
- Yaqoub Aldurayhim
- Impact
- moderate
References
#CVE-2026-8957: Privilege escalation in the Enterprise Policies component
- Reporter
- Mateusz Dobrzyński
- Impact
- moderate
References
#CVE-2026-8958: Information disclosure, sandbox escape in the Security: Process Sandboxing component
- Reporter
- Yaqoub Aldurayhim
- Impact
- moderate
References
#CVE-2026-8959: Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component
- Reporter
- Ameen Basha M K
- Impact
- moderate
References
#CVE-2026-8961: Spoofing issue in the Form Autofill component
- Reporter
- Hafiizh
- Impact
- low
References
#CVE-2026-8962: Mitigation bypass in the DOM: Security component
- Reporter
- Manojkumar Jaganathan
- Impact
- low
References
#CVE-2026-8968: Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component
- Reporter
- Tristan Madani
- Impact
- low
References
#CVE-2026-8970: Privilege escalation in the Security component
- Reporter
- pakhunov.anton.n
- Impact
- low
References
#CVE-2026-8974: Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151
- Reporter
- Nika Layzell, Randell Jesup, Timothy Nikkel, Tom Schuster and the Mozilla Fuzzing Team
- Impact
- moderate
Description
Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
#CVE-2026-8975: Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151
- Reporter
- Andrew McCreight, Valentin Gosu, Nika Layzell, Tom Schuster and the Mozilla Fuzzing Team
- Impact
- high
Description
Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.