Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Thunderbird Update Fixes Critical Security Risks
RLSA-2026:8459
Summary
Thunderbird users should update to the latest version to prevent hackers from executing malicious code or stealing sensitive information. This update fixes several security bugs that could allow attackers to take control of your computer or steal your data. To stay safe, make sure your Thunderbird software is current with the latest patches.
What to do
- Update thunderbird to version 0:140.9.1-1.el9_7.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Rocky Linux:9 | – | thunderbird |
< 0:140.9.1-1.el9_7 Fix: upgrade to 0:140.9.1-1.el9_7
|
Original title
Important: thunderbird security update
Original description
Mozilla Thunderbird is a standalone mail and newsgroup client.
Security Fix(es):
* libpng: libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416)
* libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)
* thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5734)
* thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5731)
* firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component (CVE-2026-5732)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Security Fix(es):
* libpng: libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416)
* libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636)
* thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5734)
* thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5731)
* firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component (CVE-2026-5732)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
osv CVSS3.1
8.8
- https://errata.rockylinux.org/RLSA-2026:8459 Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2451805 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2451819 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2455897 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2455901 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2455908 Third Party Advisory
Published: 19 Apr 2026 · Updated: 19 Apr 2026 · First seen: 19 Apr 2026