|
|
Log in / Subscribe / Register

AlmaLinux alert ALSA-2026:3517 (thunderbird)



From:
              AlmaLinux Errata Notifications via Announce <announce@lists.almalinux.org>


To:
              announce@lists.almalinux.org


Subject:
              [Announce]  [Security Advisory] ALSA-2026:3517: thunderbird security update (Important)


Date:
              Thu, 05 Mar 2026 10:02:52 +0000


Message-ID:
              <0100019cbd733fca-a524ca76-3fdc-4b3b-982d-2b42d83c564f-000000@email.amazonses.com>


Archive-link:
              Article


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata
notifications from AlmaLinux.

AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-03-05

Summary:

Mozilla Thunderbird is a standalone mail and newsgroup client.  

Security Fix(es):  

  * libvpx: Heap buffer overflow in libvpx (CVE-2026-2447)
  * firefox: Invalid pointer in the JavaScript Engine component (CVE-2026-2785)
  * firefox: Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR
140.8, Firefox 148 and Thunderbird 148 (CVE-2026-2793)
  * firefox: Undefined behavior in the DOM: Core & HTML component (CVE-2026-2771)
  * firefox: Integer overflow in the Audio/Video component (CVE-2026-2774)
  * firefox: Sandbox escape due to incorrect boundary conditions in the Telemetry component in
External Software (CVE-2026-2776)
  * firefox: Integer overflow in the Libraries component in NSS (CVE-2026-2781)
  * firefox: Use-after-free in the JavaScript Engine: JIT component (CVE-2026-2766)
  * firefox: Use-after-free in the Storage: IndexedDB component (CVE-2026-2769)
  * firefox: Use-after-free in the DOM: Window and Location component (CVE-2026-2787)
  * firefox: Sandbox escape in the Storage: IndexedDB component (CVE-2026-2768)
  * firefox: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT
component (CVE-2026-2783)
  * firefox: Incorrect boundary conditions in the Audio/Video: GMP component (CVE-2026-2788)
  * firefox: Mitigation bypass in the DOM: Security component (CVE-2026-2784)
  * firefox: Incorrect boundary conditions in the Graphics: ImageLib component (CVE-2026-2759)
  * firefox: Integer overflow in the JavaScript: Standard Library component (CVE-2026-2762)
  * firefox: Sandbox escape in the Graphics: WebRender component (CVE-2026-2761)
  * firefox: Privilege escalation in the Messaging System component (CVE-2026-2777)
  * firefox: Same-origin policy bypass in the Networking: JAR component (CVE-2026-2790)
  * firefox: Mitigation bypass in the DOM: HTML Parser component (CVE-2026-2775)
  * firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2763)
  * firefox: Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and
Thunderbird 148 (CVE-2026-2792)
  * firefox: Incorrect boundary conditions in the Web Audio component (CVE-2026-2773)
  * firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2786)
  * firefox: Use-after-free in the Graphics: ImageLib component (CVE-2026-2789)
  * firefox: thunderbird: Incorrect boundary conditions in the WebRTC: Audio/Video component
(CVE-2026-2757)
  * firefox: Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender
component (CVE-2026-2760)
  * firefox: Use-after-free in the Audio/Video: Playback component (CVE-2026-2772)
  * firefox: Incorrect boundary conditions in the Networking: JAR component (CVE-2026-2779)
  * firefox: Use-after-free in the JavaScript: WebAssembly component (CVE-2026-2767)
  * firefox: JIT miscompilation, use-after-free in the JavaScript Engine: JIT component
(CVE-2026-2764)
  * firefox: Privilege escalation in the Netmonitor component (CVE-2026-2782)
  * firefox: Use-after-free in the JavaScript Engine component (CVE-2026-2765)
  * firefox: Privilege escalation in the Netmonitor component (CVE-2026-2780)
  * firefox: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component
(CVE-2026-2778)
  * firefox: Use-after-free in the JavaScript: GC component (CVE-2026-2758)
  * firefox: Mitigation bypass in the Networking: Cache component (CVE-2026-2791)
  * firefox: Use-after-free in the DOM: Bindings (WebIDL) component (CVE-2026-2770)


For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,
and other related information, refer to the CVE page(s) listed in the References section.


Full details, updated packages, references, and other related information:
https://errata.almalinux.org/10/ALSA-2026-3517.html

This message is automatically generated, please don’t reply. For further questions, please, contact
us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on
https://lists.almalinux.org.

Kind regards,
AlmaLinux Team
_______________________________________________
Announce mailing list -- announce@lists.almalinux.org
To unsubscribe send an email to announce-leave@lists.almalinux.org
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds