—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Mozilla Thunderbird 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Mozilla Thunderbird ESR versions prior to 140.7

Mozilla Thunderbird versions prior to 147

Overview

Multiple vulnerabilities have been reported in Mozilla Thunderbird which could allow a remote attacker to exe-cute arbitrary code, bypass security restrictions or perform spoofing attacks on the targeted system.

Target Audience

All end-user organizations and individuals using Mozilla Thunderbird.

Risk Assessment

High risk of system compromise and service disruptions.

Impact Assessment

Potential for system compromise and service unavailability.

Description

These vulnerabilities exist in Mozilla Thunderbird due to Mitigation bypass in the DOM: Security component; Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component, integer overflow in the Graphics component; Use-after-free in the IPC component, JavaScript Engine component, Ja-vaScript: GC component; Spoofing issue in the Downloads Panel component, Information disclosure in the Networking component, XML component; Clickjacking issue, information disclosure in the PDF Viewer component; Spoofing issue in the DOM: Copy & Paste and Drag & Drop component; Memory safety bugs and Denial-of-service in the DOM: Service Workers component. A remote attacker could exploit these vulnerabilities by convincing the victim to open a specially crafted web request.

Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code, bypass security restrictions or perform spoofing attacks on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://www.mozilla.org/en-US/security/advisories/mfsa2026-04/

https://www.mozilla.org/en-US/security/advisories/mfsa2026-05/

References

Mozilla

https://www.mozilla.org/en-US/security/advisories/mfsa2026-04/

https://www.mozilla.org/en-US/security/advisories/mfsa2026-05/

CVE Name

CVE-2025-14327

CVE-2026-0877

CVE-2026-0878

CVE-2026-0879

CVE-2026-0880

CVE-2026-0880

CVE-2026-0882

CVE-2026-0883

CVE-2026-0884

CVE-2026-0885

CVE-2026-0886

CVE-2026-0887

CVE-2026-0888

CVE-2026-0889

CVE-2026-0890

CVE-2026-0890

CVE-2026-0892

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAml0skMACgkQ3jCgcSdc

ys/KuhAAqJRzdg+TfgnOLBam6EG4EBXxMhXgk1voPPP0xC40YBtMdYyyyA9CbaGa

syg6q7AsyOlwncIZdyvzj+XeD28wzCn/9ORSQC2NimFPy+bT1571Dmkt1m+dyFSn

57t99OOl8/N+cqtpldRKDt5WbncBARKeMR4pLclEbKE+Ao4agA/gmeC16w6Fexra

iZxleP5vft4KPF2+SME4BmVBUvSScbFfD6Uz3EQZyzsx4othq7B3Sc0WtHyfvbtB

GJxI5VcTHoSjlQkfPeaZgNSxDm8PyWc2NsB8ABJsjdSYcapjsrvf469DqzS7+Yu/

ag5hLOnj6RWCuND26ZFDqAwkQ1+IIVfHCsxR5HsNPppThRV7B/exKdO3b7M+z8Xs

aDErlVsGhrMDvbXxcI+voB5aS8NZC1yg9bcSiPIAxxA0B3HYWiuXtJ1qLyHmkhrG

HbJCcFVEsZwVGBqbMqqTPzVPT3MKizK//B2sA7Z7QL+4Ro1XOAHAp92pJOyDbP0F

Zj0+at6nHLEsonPzPHqiKoZvRThQOXPwAlLroToNSKkiylqwl3cM6P5twLusTlHE

JGdyA7XmdTnwMyPK8H1uNNeIOYBs/8Se2dAoykPXv7vjYkyHa5rNgWYz0dVR2xbM

3SIaq/woHi6R2TpCUswBgHczkAL6jNHdd+G6KHTnnWdAM806zoQ=

=gwDS

—–END PGP SIGNATURE—–