—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Mozilla Thunderbird 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Mozilla Thunderbird versions prior to 140.6

Mozilla Thunderbird versions prior to 146

Overview

Multiple vulnerabilities have been reported in Mozilla Thunderbird which could allow a remote at-tacker to execute arbitrary code, bypass security restrictions, gain elevated privileges or perform spoofing attacks on the targeted system.

Target Audience:

All end-user organizations and individuals using Mozilla Thunderbird.

Risk Assessment:

High risk of system compromise and service disruptions.

Impact Assessment:

Potential for system compromise and service unavailability.

Description

These vulnerabilities exist in Mozilla Thunderbird due to Use-after-free in the WebRTC: Signaling component and Audio/Video: GMP component; Incorrect boundary conditions in the Graphics: CanvasWebGL component; Privilege escalation in the DOM: Notifications component; JIT miscompilation in the JavaScript Engine: JIT component; Privilege escalation in the Netmonitor component; Same origin policy bypass in the Request Handling component; Memory safety bugs. A remote attacker could exploit these vulnerabilities by convincing the victim to open a specially crafted web request.

Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code, bypass security restrictions, gain elevated privileges or perform spoofing attacks on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://www.mozilla.org/en-US/security/advisories/mfsa2025-95/

https://www.mozilla.org/en-US/security/advisories/mfsa2025-96/

References

Mozilla

https://www.mozilla.org/en-US/security/advisories/mfsa2025-95/

https://www.mozilla.org/en-US/security/advisories/mfsa2025-96/

CVE Name

CVE-2025-14321

CVE-2025-14322

CVE-2025-14323

CVE-2025-14324

CVE-2025-14325

CVE-2025-14326

CVE-2025-14327

CVE-2025-14328

CVE-2025-14329

CVE-2025-14330

CVE-2025-14331

CVE-2025-14332

CVE-2025-14333

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmlAA4wACgkQ3jCgcSdc

ys9A6w/9HI8UnVaEjSOSdYiuggtFFB6mzQeXiNXJSdZeX6bzgAGeGV60SSUBJajC

WDRxLKObSiXzxgzZqkTgj4tqTKyzKuhfI3aq8D2u1sNkFawa9QMKnXFAO0hHYPHF

iaxp+QYMYGanO0BvAXGqo6qHWRWeaNxrUcRfwBLrIPLvyDektTZ4hfoVE7UQSlty

6daHGLJluVkz2VH9ORlLuS+t3398xZaBR9MLmUEkPJNILYysiMOq9lz+VhoVRYvs

R6VDWgE3JcpTwQgmCALVr01BrtEGZKQBOh1qMXBm/kTMbJm0uJxnFCmZIOT+h4it

pbKr1MSsc8mdfNTyLXDKFp7WVk1t404Hul0kHfqmtDHF6oddIciXrdh2vBnZnZ99

HH15rwTvshCGdVOF7BnT5SAlTdJL5cBeywcZX4NM3h+qUwX0GIbKocKJSzOkRzj6

TjaI/ROc/zbgr34XQTPM/nAnlN5jckb7ODQ6jURU3tArL70AvU4LQVMzS6JObHe0

SYmQV1mGhIeJFKjk4ump15hBhFVVeFNrO1HxOdbwuMh9qTHEwHoDRAjxnDNtm2Dv

/+mEp+AZrVAeCVk5IMF7ojEINoLOlyA6wXhR2Y0qPbAQySyDGkfzbAKhzzWG1rTq

nMVL0kYNLL5+Oy1nAML1pdrKDNcNKBwvkJ59Ux4mre8yahPOwbQ=

=pWbY

—–END PGP SIGNATURE—–