Mozilla Foundation Security Advisory 2026-50

Security Vulnerabilities fixed in Thunderbird 151

Announced

May 19, 2026

Impact

high

Products

Thunderbird

Fixed in

Thunderbird 151

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

#CVE-2026-8946: Incorrect boundary conditions in the Audio/Video: Web Codecs component

Reporter: zx
Impact: high

References

Bug 2029070

#CVE-2026-8947: Use-after-free in the DOM: Bindings (WebIDL) component

Reporter: Satoki Tsuji
Impact: high

References

Bug 2038439

#CVE-2026-8948: Same-origin policy bypass in the DOM: Networking component

Reporter: satyamasd
Impact: high

References

Bug 2038803

#CVE-2026-8949: Integer overflow in the Widget: Win32 component

Reporter: q1
Impact: moderate

References

Bug 1355639

#CVE-2026-8950: Same-origin policy bypass in the Networking: HTTP component

Reporter: Jakub Szymsza
Impact: moderate

References

Bug 1965430

#CVE-2026-8952: Privilege escalation in the Application Update component

Reporter: Tomoya Nakanishi
Impact: moderate

References

Bug 2021727

#CVE-2026-8953: Sandbox escape due to use-after-free in the Disability Access APIs component

Reporter: stevej
Impact: moderate

References

Bug 2029511

#CVE-2026-8954: Incorrect boundary conditions, integer overflow in the Audio/Video component

Reporter: Ameen Basha M K
Impact: moderate

References

Bug 2030747

#CVE-2026-8955: Privilege escalation in the DOM: Workers component

Reporter: lebr0nli
Impact: moderate

References

Bug 2031064

#CVE-2026-8956: Integer overflow in the Networking: JAR component

Reporter: Yaqoub Aldurayhim
Impact: moderate

References

Bug 2032427

#CVE-2026-8957: Privilege escalation in the Enterprise Policies component

Reporter: Mateusz Dobrzyński
Impact: moderate

References

Bug 2033850

#CVE-2026-8958: Information disclosure, sandbox escape in the Security: Process Sandboxing component

Reporter: Yaqoub Aldurayhim
Impact: moderate

References

Bug 2034713

#CVE-2026-8959: Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component

Reporter: Ameen Basha M K
Impact: moderate

References

Bug 2034754

#CVE-2026-8960: Spoofing issue in WebExtensions

Reporter: Kanaru Sato
Impact: low

References

Bug 1940116

#CVE-2026-8961: Spoofing issue in the Form Autofill component

Reporter: Hafiizh
Impact: low

References

Bug 1962625

#CVE-2026-8962: Mitigation bypass in the DOM: Security component

Reporter: Manojkumar Jaganathan
Impact: low

References

Bug 2004804

#CVE-2026-8963: Spoofing issue in the Web Speech component

Reporter: Qadhafy Muhammad Tera
Impact: low

References

Bug 2021222

#CVE-2026-8964: Spoofing issue in the Popup Blocker component

Reporter: Satoki Tsuji
Impact: low

References

Bug 2025170

#CVE-2026-8965: Information disclosure in the DOM: Security component

Reporter: Shihab Mirza
Impact: low

References

Bug 2025740

#CVE-2026-8966: Information disclosure in the IP Protection component

Reporter: Rintaro Kobayashi
Impact: low

References

Bug 2025849

#CVE-2026-8967: Information disclosure in the Graphics: WebGPU component

Reporter: Inseo An
Impact: low

References

Bug 2027173

#CVE-2026-8968: Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component

Reporter: Tristan Madani
Impact: low

References

Bug 2030467

#CVE-2026-8969: Mitigation bypass in the DOM: Security component

Reporter: Atsushi Sada
Impact: low

References

Bug 2031123

#CVE-2026-8970: Privilege escalation in the Security component

Reporter: pakhunov.anton.n
Impact: low

References

Bug 2032174

#CVE-2026-8971: Same-origin policy bypass in the Networking: JAR component

Reporter: Surya Dev Singh
Impact: low

References

Bug 2032604

#CVE-2026-8972: Privilege escalation in the WebRTC: Audio/Video component

Reporter: pakhunov.anton.n
Impact: low

References

Bug 2033275

#CVE-2026-8973: Memory safety bugs fixed in Thunderbird 151

Reporter: Andrew Creskey, Andrew Osmond, Dana Keeler, Henri Sivonen, Jed Davis, John Schanck, Jon Coppeard, Justin Link, Michael Froman, Nika Layzell, Noah Lokocz, Randell Jesup, Steve Fink, Tom Schuster and the Mozilla Fuzzing Team
Impact: high

Description

Memory safety bugs present in Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Thunderbird 151

#CVE-2026-8974: Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151

Reporter: Nika Layzell, Randell Jesup, Timothy Nikkel, Tom Schuster and the Mozilla Fuzzing Team
Impact: moderate

Description

Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151

#CVE-2026-8975: Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151

Reporter: Andrew McCreight, Valentin Gosu, Nika Layzell, Tom Schuster and the Mozilla Fuzzing Team
Impact: high

Description

References

Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151

Firefox browsers

Mozilla VPN

Mozilla Monitor

Firefox Relay

MDN Plus

Thunderbird

Solo

0DIN

Tabstack

About Mozilla

The Mozilla Manifesto

Get Involved

Blog