Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Update Thunderbird to Fix Multiple Security Risks
ALSA-2026:3517
Summary
Mozilla Thunderbird users should update to the latest version to fix several security issues that could allow an attacker to access sensitive information, take control of the program, or execute malicious code. This update is recommended to prevent potential data breaches and system compromise. Update Thunderbird as soon as possible to ensure your email and data remain secure.
What to do
- Update almalinux thunderbird to version 140.8.0-2.el10_1.alma.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| almalinux | thunderbird | <= 140.8.0-2.el10_1.alma.1 | 140.8.0-2.el10_1.alma.1 |
Original title
Important: thunderbird security update
Original description
Mozilla Thunderbird is a standalone mail and newsgroup client.
Security Fix(es):
* libvpx: Heap buffer overflow in libvpx (CVE-2026-2447)
* firefox: Invalid pointer in the JavaScript Engine component (CVE-2026-2785)
* firefox: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2793)
* firefox: Undefined behavior in the DOM: Core & HTML component (CVE-2026-2771)
* firefox: Integer overflow in the Audio/Video component (CVE-2026-2774)
* firefox: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software (CVE-2026-2776)
* firefox: Integer overflow in the Libraries component in NSS (CVE-2026-2781)
* firefox: Use-after-free in the JavaScript Engine: JIT component (CVE-2026-2766)
* firefox: Use-after-free in the Storage: IndexedDB component (CVE-2026-2769)
* firefox: Use-after-free in the DOM: Window and Location component (CVE-2026-2787)
* firefox: Sandbox escape in the Storage: IndexedDB component (CVE-2026-2768)
* firefox: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component (CVE-2026-2783)
* firefox: Incorrect boundary conditions in the Audio/Video: GMP component (CVE-2026-2788)
* firefox: Mitigation bypass in the DOM: Security component (CVE-2026-2784)
* firefox: Incorrect boundary conditions in the Graphics: ImageLib component (CVE-2026-2759)
* firefox: Integer overflow in the JavaScript: Standard Library component (CVE-2026-2762)
* firefox: Sandbox escape in the Graphics: WebRender component (CVE-2026-2761)
* firefox: Privilege escalation in the Messaging System component (CVE-2026-2777)
* firefox: Same-origin policy bypass in the Networking: JAR component (CVE-2026-2790)
* firefox: Mitigation bypass in the DOM: HTML Parser component (CVE-2026-2775)
* firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2763)
* firefox: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2792)
* firefox: Incorrect boundary conditions in the Web Audio component (CVE-2026-2773)
* firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2786)
* firefox: Use-after-free in the Graphics: ImageLib component (CVE-2026-2789)
* firefox: thunderbird: Incorrect boundary conditions in the WebRTC: Audio/Video component (CVE-2026-2757)
* firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component (CVE-2026-2760)
* firefox: Use-after-free in the Audio/Video: Playback component (CVE-2026-2772)
* firefox: Incorrect boundary conditions in the Networking: JAR component (CVE-2026-2779)
* firefox: Use-after-free in the JavaScript: WebAssembly component (CVE-2026-2767)
* firefox: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component (CVE-2026-2764)
* firefox: Privilege escalation in the Netmonitor component (CVE-2026-2782)
* firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2765)
* firefox: Privilege escalation in the Netmonitor component (CVE-2026-2780)
* firefox: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component (CVE-2026-2778)
* firefox: Use-after-free in the JavaScript: GC component (CVE-2026-2758)
* firefox: Mitigation bypass in the Networking: Cache component (CVE-2026-2791)
* firefox: Use-after-free in the DOM: Bindings (WebIDL) component (CVE-2026-2770)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Security Fix(es):
* libvpx: Heap buffer overflow in libvpx (CVE-2026-2447)
* firefox: Invalid pointer in the JavaScript Engine component (CVE-2026-2785)
* firefox: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2793)
* firefox: Undefined behavior in the DOM: Core & HTML component (CVE-2026-2771)
* firefox: Integer overflow in the Audio/Video component (CVE-2026-2774)
* firefox: Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software (CVE-2026-2776)
* firefox: Integer overflow in the Libraries component in NSS (CVE-2026-2781)
* firefox: Use-after-free in the JavaScript Engine: JIT component (CVE-2026-2766)
* firefox: Use-after-free in the Storage: IndexedDB component (CVE-2026-2769)
* firefox: Use-after-free in the DOM: Window and Location component (CVE-2026-2787)
* firefox: Sandbox escape in the Storage: IndexedDB component (CVE-2026-2768)
* firefox: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component (CVE-2026-2783)
* firefox: Incorrect boundary conditions in the Audio/Video: GMP component (CVE-2026-2788)
* firefox: Mitigation bypass in the DOM: Security component (CVE-2026-2784)
* firefox: Incorrect boundary conditions in the Graphics: ImageLib component (CVE-2026-2759)
* firefox: Integer overflow in the JavaScript: Standard Library component (CVE-2026-2762)
* firefox: Sandbox escape in the Graphics: WebRender component (CVE-2026-2761)
* firefox: Privilege escalation in the Messaging System component (CVE-2026-2777)
* firefox: Same-origin policy bypass in the Networking: JAR component (CVE-2026-2790)
* firefox: Mitigation bypass in the DOM: HTML Parser component (CVE-2026-2775)
* firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2763)
* firefox: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2792)
* firefox: Incorrect boundary conditions in the Web Audio component (CVE-2026-2773)
* firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2786)
* firefox: Use-after-free in the Graphics: ImageLib component (CVE-2026-2789)
* firefox: thunderbird: Incorrect boundary conditions in the WebRTC: Audio/Video component (CVE-2026-2757)
* firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component (CVE-2026-2760)
* firefox: Use-after-free in the Audio/Video: Playback component (CVE-2026-2772)
* firefox: Incorrect boundary conditions in the Networking: JAR component (CVE-2026-2779)
* firefox: Use-after-free in the JavaScript: WebAssembly component (CVE-2026-2767)
* firefox: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component (CVE-2026-2764)
* firefox: Privilege escalation in the Netmonitor component (CVE-2026-2782)
* firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2765)
* firefox: Privilege escalation in the Netmonitor component (CVE-2026-2780)
* firefox: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component (CVE-2026-2778)
* firefox: Use-after-free in the JavaScript: GC component (CVE-2026-2758)
* firefox: Mitigation bypass in the Networking: Cache component (CVE-2026-2791)
* firefox: Use-after-free in the DOM: Bindings (WebIDL) component (CVE-2026-2770)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- https://access.redhat.com/errata/RHSA-2026:3517 Vendor Advisory
- https://access.redhat.com/security/cve/CVE-2026-2447 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2757 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2758 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2759 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2760 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2761 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2762 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2763 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2764 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2765 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2766 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2767 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2768 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2769 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2770 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2771 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2772 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2773 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2774 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2775 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2776 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2777 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2778 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2779 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2780 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2781 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2782 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2783 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2784 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2785 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2786 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2787 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2788 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2789 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2790 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2791 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2792 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-2793 Third Party Advisory
- https://bugzilla.redhat.com/2440219 Third Party Advisory
- https://bugzilla.redhat.com/2442284 Third Party Advisory
- https://bugzilla.redhat.com/2442287 Third Party Advisory
- https://bugzilla.redhat.com/2442288 Third Party Advisory
- https://bugzilla.redhat.com/2442290 Third Party Advisory
- https://bugzilla.redhat.com/2442291 Third Party Advisory
- https://bugzilla.redhat.com/2442292 Third Party Advisory
- https://bugzilla.redhat.com/2442294 Third Party Advisory
- https://bugzilla.redhat.com/2442295 Third Party Advisory
- https://bugzilla.redhat.com/2442297 Third Party Advisory
- https://bugzilla.redhat.com/2442298 Third Party Advisory
- https://bugzilla.redhat.com/2442300 Third Party Advisory
- https://bugzilla.redhat.com/2442302 Third Party Advisory
- https://bugzilla.redhat.com/2442304 Third Party Advisory
- https://bugzilla.redhat.com/2442307 Third Party Advisory
- https://bugzilla.redhat.com/2442308 Third Party Advisory
- https://bugzilla.redhat.com/2442309 Third Party Advisory
- https://bugzilla.redhat.com/2442312 Third Party Advisory
- https://bugzilla.redhat.com/2442313 Third Party Advisory
- https://bugzilla.redhat.com/2442314 Third Party Advisory
- https://bugzilla.redhat.com/2442316 Third Party Advisory
- https://bugzilla.redhat.com/2442318 Third Party Advisory
- https://bugzilla.redhat.com/2442319 Third Party Advisory
- https://bugzilla.redhat.com/2442320 Third Party Advisory
- https://bugzilla.redhat.com/2442322 Third Party Advisory
- https://bugzilla.redhat.com/2442324 Third Party Advisory
- https://bugzilla.redhat.com/2442325 Third Party Advisory
- https://bugzilla.redhat.com/2442326 Third Party Advisory
- https://bugzilla.redhat.com/2442327 Third Party Advisory
- https://bugzilla.redhat.com/2442328 Third Party Advisory
- https://bugzilla.redhat.com/2442329 Third Party Advisory
- https://bugzilla.redhat.com/2442331 Third Party Advisory
- https://bugzilla.redhat.com/2442333 Third Party Advisory
- https://bugzilla.redhat.com/2442334 Third Party Advisory
- https://bugzilla.redhat.com/2442335 Third Party Advisory
- https://bugzilla.redhat.com/2442337 Third Party Advisory
- https://bugzilla.redhat.com/2442342 Third Party Advisory
- https://bugzilla.redhat.com/2442343 Third Party Advisory
- https://errata.almalinux.org/10/ALSA-2026-3517.html Vendor Advisory
Published: 2 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026