Vulnerability Details CVE-2026-4371
A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction, potentially crashing Thunderbird or leaking sensitive data. This vulnerability affects Thunderbird < 149 and Thunderbird < 140.9.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 12.4%
CVSS Severity
CVSS v3 Score 7.4
References
Products affected by CVE-2026-4371
-
cpe:2.3:a:mozilla:thunderbird:-
-
cpe:2.3:a:mozilla:thunderbird:115.10.2
-
cpe:2.3:a:mozilla:thunderbird:115.11.0
-
cpe:2.3:a:mozilla:thunderbird:115.11.1
-
cpe:2.3:a:mozilla:thunderbird:115.12.1
-
cpe:2.3:a:mozilla:thunderbird:115.12.2
-
cpe:2.3:a:mozilla:thunderbird:115.13.0
-
cpe:2.3:a:mozilla:thunderbird:115.14.0
-
cpe:2.3:a:mozilla:thunderbird:115.16.0
-
cpe:2.3:a:mozilla:thunderbird:115.16.1
-
cpe:2.3:a:mozilla:thunderbird:115.16.2
-
cpe:2.3:a:mozilla:thunderbird:115.16.3
-
cpe:2.3:a:mozilla:thunderbird:115.18.0
-
cpe:2.3:a:mozilla:thunderbird:128.0.1
-
cpe:2.3:a:mozilla:thunderbird:128.1.0
-
cpe:2.3:a:mozilla:thunderbird:128.1.1
-
cpe:2.3:a:mozilla:thunderbird:128.10.0
-
cpe:2.3:a:mozilla:thunderbird:128.10.1
-
cpe:2.3:a:mozilla:thunderbird:128.10.2
-
cpe:2.3:a:mozilla:thunderbird:128.11.0
-
cpe:2.3:a:mozilla:thunderbird:128.11.1
-
cpe:2.3:a:mozilla:thunderbird:128.12.0
-
cpe:2.3:a:mozilla:thunderbird:128.13.0
-
cpe:2.3:a:mozilla:thunderbird:128.14.0
-
cpe:2.3:a:mozilla:thunderbird:128.2.0
-
cpe:2.3:a:mozilla:thunderbird:128.2.1
-
cpe:2.3:a:mozilla:thunderbird:128.2.2
-
cpe:2.3:a:mozilla:thunderbird:128.2.3
-
cpe:2.3:a:mozilla:thunderbird:128.3.0
-
cpe:2.3:a:mozilla:thunderbird:128.3.1
-
cpe:2.3:a:mozilla:thunderbird:128.3.2
-
cpe:2.3:a:mozilla:thunderbird:128.3.3
-
cpe:2.3:a:mozilla:thunderbird:128.4.0
-
cpe:2.3:a:mozilla:thunderbird:128.4.1
-
cpe:2.3:a:mozilla:thunderbird:128.4.2
-
cpe:2.3:a:mozilla:thunderbird:128.4.3
-
cpe:2.3:a:mozilla:thunderbird:128.4.4
-
cpe:2.3:a:mozilla:thunderbird:128.5.0
-
cpe:2.3:a:mozilla:thunderbird:128.5.1
-
cpe:2.3:a:mozilla:thunderbird:128.5.2
-
cpe:2.3:a:mozilla:thunderbird:128.6.0
-
cpe:2.3:a:mozilla:thunderbird:128.7.0
-
cpe:2.3:a:mozilla:thunderbird:128.7.1
-
cpe:2.3:a:mozilla:thunderbird:128.8.0
-
cpe:2.3:a:mozilla:thunderbird:128.8.1
-
cpe:2.3:a:mozilla:thunderbird:128.9.0
-
cpe:2.3:a:mozilla:thunderbird:128.9.1
-
cpe:2.3:a:mozilla:thunderbird:128.9.2
-
cpe:2.3:a:mozilla:thunderbird:135.0
-
cpe:2.3:a:mozilla:thunderbird:139.0
-
cpe:2.3:a:mozilla:thunderbird:140.0
-
cpe:2.3:a:mozilla:thunderbird:140.0.1
-
cpe:2.3:a:mozilla:thunderbird:140.1.0
-
cpe:2.3:a:mozilla:thunderbird:140.1.1
-
cpe:2.3:a:mozilla:thunderbird:140.2.0
-
cpe:2.3:a:mozilla:thunderbird:140.2.1
-
cpe:2.3:a:mozilla:thunderbird:140.3.0
-
cpe:2.3:a:mozilla:thunderbird:140.3.1
-
cpe:2.3:a:mozilla:thunderbird:140.4.0
-
cpe:2.3:a:mozilla:thunderbird:140.5.0
-
cpe:2.3:a:mozilla:thunderbird:140.6.0
-
cpe:2.3:a:mozilla:thunderbird:140.7.0
-
cpe:2.3:a:mozilla:thunderbird:141.0
-
cpe:2.3:a:mozilla:thunderbird:142.0
-
cpe:2.3:a:mozilla:thunderbird:143.0
-
cpe:2.3:a:mozilla:thunderbird:143.0.1
-
cpe:2.3:a:mozilla:thunderbird:144.0
-
cpe:2.3:a:mozilla:thunderbird:144.0.1
-
cpe:2.3:a:mozilla:thunderbird:145.0
-
cpe:2.3:a:mozilla:thunderbird:146.0
-
cpe:2.3:a:mozilla:thunderbird:146.0.1
-
cpe:2.3:a:mozilla:thunderbird:147.0