Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Thunderbird Security Update Fixes Multiple Risks
MGASA-2026-0053
Summary
Thunderbird users are advised to update to the latest version to protect against multiple security risks, including unauthorized access to sensitive data and potentially allowing malicious code to escape restrictions. These vulnerabilities were addressed in recent updates, so it's essential to ensure your Thunderbird installation is current to prevent potential security issues. Update to the latest version as soon as possible.
What to do
- Update thunderbird to version 140.8.0-1.mga9.
- Update thunderbird-l10n to version 140.8.0-1.mga9.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | thunderbird | <= 140.8.0-1.mga9 | 140.8.0-1.mga9 |
| – | thunderbird-l10n | <= 140.8.0-1.mga9 | 140.8.0-1.mga9 |
Original title
Updated thunderbird packages fix security vulnerabilities
Original description
Incorrect boundary conditions in the WebRTC: Audio/Video component.
(CVE-2026-2757)
Use-after-free in the JavaScript: GC component. (CVE-2026-2758)
Incorrect boundary conditions in the Graphics: ImageLib component.
(CVE-2026-2759)
Sandbox escape due to incorrect boundary conditions in the Graphics:
WebRender component. (CVE-2026-2760)
Sandbox escape in the Graphics: WebRender component. (CVE-2026-2761)
Integer overflow in the JavaScript: Standard Library component.
(CVE-2026-2762)
Use-after-free in the JavaScript Engine component. (CVE-2026-2763)
JIT miscompilation, use-after-free in the JavaScript Engine: JIT
component. (CVE-2026-2764)
Use-after-free in the JavaScript Engine component. (CVE-2026-2765)
Use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2766)
Use-after-free in the JavaScript: WebAssembly component. (CVE-2026-2767)
Sandbox escape in the Storage: IndexedDB component. (CVE-2026-2768)
Use-after-free in the Storage: IndexedDB component. (CVE-2026-2769)
Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-2770)
Undefined behavior in the DOM: Core & HTML component. (CVE-2026-2771)
Use-after-free in the Audio/Video: Playback component. (CVE-2026-2772)
Incorrect boundary conditions in the Web Audio component.
(CVE-2026-2773)
Integer overflow in the Audio/Video component. (CVE-2026-2774)
Mitigation bypass in the DOM: HTML Parser component. (CVE-2026-2775)
Sandbox escape due to incorrect boundary conditions in the Telemetry
component in External Software. (CVE-2026-2776)
Privilege escalation in the Messaging System component. (CVE-2026-2777)
Sandbox escape due to incorrect boundary conditions in the DOM: Core &
HTML component. (CVE-2026-2778)
Incorrect boundary conditions in the Networking: JAR component.
(CVE-2026-2779)
Privilege escalation in the Netmonitor component. (CVE-2026-2780)
Privilege escalation in the Netmonitor component. (CVE-2026-2782)
Information disclosure due to JIT miscompilation in the JavaScript
Engine: JIT component. (CVE-2026-2783)
Mitigation bypass in the DOM: Security component. (CVE-2026-2784)
Invalid pointer in the JavaScript Engine component. (CVE-2026-2785)
Use-after-free in the JavaScript Engine component. (CVE-2026-2786)
Use-after-free in the DOM: Window and Location component.
(CVE-2026-2787)
Incorrect boundary conditions in the Audio/Video: GMP component.
(CVE-2026-2788)
Use-after-free in the Graphics: ImageLib component. (CVE-2026-2789)
Same-origin policy bypass in the Networking: JAR component.
(CVE-2026-2790)
Mitigation bypass in the Networking: Cache component. (CVE-2026-2791)
Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8,
Firefox 148 and Thunderbird 148. (CVE-2026-2792)
Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8,
Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2793)
(CVE-2026-2757)
Use-after-free in the JavaScript: GC component. (CVE-2026-2758)
Incorrect boundary conditions in the Graphics: ImageLib component.
(CVE-2026-2759)
Sandbox escape due to incorrect boundary conditions in the Graphics:
WebRender component. (CVE-2026-2760)
Sandbox escape in the Graphics: WebRender component. (CVE-2026-2761)
Integer overflow in the JavaScript: Standard Library component.
(CVE-2026-2762)
Use-after-free in the JavaScript Engine component. (CVE-2026-2763)
JIT miscompilation, use-after-free in the JavaScript Engine: JIT
component. (CVE-2026-2764)
Use-after-free in the JavaScript Engine component. (CVE-2026-2765)
Use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2766)
Use-after-free in the JavaScript: WebAssembly component. (CVE-2026-2767)
Sandbox escape in the Storage: IndexedDB component. (CVE-2026-2768)
Use-after-free in the Storage: IndexedDB component. (CVE-2026-2769)
Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-2770)
Undefined behavior in the DOM: Core & HTML component. (CVE-2026-2771)
Use-after-free in the Audio/Video: Playback component. (CVE-2026-2772)
Incorrect boundary conditions in the Web Audio component.
(CVE-2026-2773)
Integer overflow in the Audio/Video component. (CVE-2026-2774)
Mitigation bypass in the DOM: HTML Parser component. (CVE-2026-2775)
Sandbox escape due to incorrect boundary conditions in the Telemetry
component in External Software. (CVE-2026-2776)
Privilege escalation in the Messaging System component. (CVE-2026-2777)
Sandbox escape due to incorrect boundary conditions in the DOM: Core &
HTML component. (CVE-2026-2778)
Incorrect boundary conditions in the Networking: JAR component.
(CVE-2026-2779)
Privilege escalation in the Netmonitor component. (CVE-2026-2780)
Privilege escalation in the Netmonitor component. (CVE-2026-2782)
Information disclosure due to JIT miscompilation in the JavaScript
Engine: JIT component. (CVE-2026-2783)
Mitigation bypass in the DOM: Security component. (CVE-2026-2784)
Invalid pointer in the JavaScript Engine component. (CVE-2026-2785)
Use-after-free in the JavaScript Engine component. (CVE-2026-2786)
Use-after-free in the DOM: Window and Location component.
(CVE-2026-2787)
Incorrect boundary conditions in the Audio/Video: GMP component.
(CVE-2026-2788)
Use-after-free in the Graphics: ImageLib component. (CVE-2026-2789)
Same-origin policy bypass in the Networking: JAR component.
(CVE-2026-2790)
Mitigation bypass in the Networking: Cache component. (CVE-2026-2791)
Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8,
Firefox 148 and Thunderbird 148. (CVE-2026-2792)
Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8,
Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2793)
- https://advisories.mageia.org/MGASA-2026-0053.html Vendor Advisory
- https://bugs.mageia.org/show_bug.cgi?id=35166 Third Party Advisory
- https://www.thunderbird.net/en-US/thunderbird/140.8.0esr/releasenotes/ Third Party Advisory
- https://www.mozilla.org/en-US/security/advisories/mfsa2026-17/ Third Party Advisory
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026