|
|
Log in / Subscribe / Register

SUSE alert openSUSE-SU-2026:20664-1 (thunderbird)



From:
              null@suse.de


To:
              security-announce@lists.opensuse.org


Subject:
              openSUSE-SU-2026:20664-1: important: Security update for MozillaThunderbird


Date:
              Mon, 04 May 2026 15:29:30 +0200


Message-ID:
              <20260504132930.74745FCE4@maintenance.suse.de>


Archive-link:
              Article


openSUSE security update: security update for mozillathunderbird
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20664-1
Rating: important
References:

  * bsc#1260083
  * bsc#1262230



Cross-References:

  * CVE-2025-59375
  * CVE-2026-3889
  * CVE-2026-4371
  * CVE-2026-4684
  * CVE-2026-4685
  * CVE-2026-4686
  * CVE-2026-4687
  * CVE-2026-4688
  * CVE-2026-4689
  * CVE-2026-4690
  * CVE-2026-4691
  * CVE-2026-4692
  * CVE-2026-4693
  * CVE-2026-4694
  * CVE-2026-4695
  * CVE-2026-4696
  * CVE-2026-4697
  * CVE-2026-4698
  * CVE-2026-4699
  * CVE-2026-4700
  * CVE-2026-4701
  * CVE-2026-4702
  * CVE-2026-4704
  * CVE-2026-4705
  * CVE-2026-4706
  * CVE-2026-4707
  * CVE-2026-4708
  * CVE-2026-4709
  * CVE-2026-4710
  * CVE-2026-4711
  * CVE-2026-4712
  * CVE-2026-4713
  * CVE-2026-4714
  * CVE-2026-4715
  * CVE-2026-4716
  * CVE-2026-4717
  * CVE-2026-4718
  * CVE-2026-4719
  * CVE-2026-4720
  * CVE-2026-4721
  * CVE-2026-5731
  * CVE-2026-5732
  * CVE-2026-5734
  * CVE-2026-6746
  * CVE-2026-6747
  * CVE-2026-6748
  * CVE-2026-6749
  * CVE-2026-6750
  * CVE-2026-6751
  * CVE-2026-6752
  * CVE-2026-6753
  * CVE-2026-6754
  * CVE-2026-6757
  * CVE-2026-6759
  * CVE-2026-6761
  * CVE-2026-6762
  * CVE-2026-6763
  * CVE-2026-6764
  * CVE-2026-6765
  * CVE-2026-6766
  * CVE-2026-6767
  * CVE-2026-6769
  * CVE-2026-6770
  * CVE-2026-6771
  * CVE-2026-6772
  * CVE-2026-6776
  * CVE-2026-6785
  * CVE-2026-6786



CVSS scores:

  * CVE-2025-59375 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2025-59375 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2026-3889 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  * CVE-2026-4371 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  * CVE-2026-4684 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-4685 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-4686 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-4687 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  * CVE-2026-4688 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  * CVE-2026-4689 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  * CVE-2026-4690 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  * CVE-2026-4691 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-4692 ( SUSE ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  * CVE-2026-4693 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-4694 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-4695 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-4696 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-4697 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-4698 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-4699 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-4700 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  * CVE-2026-4701 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4702 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4704 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  * CVE-2026-4705 ( SUSE ): 5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4706 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4707 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4708 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4709 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4710 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4711 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4712 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
  * CVE-2026-4713 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4714 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4715 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4716 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4717 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4718 ( SUSE ): 5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4719 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
  * CVE-2026-4720 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-4721 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-5731 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-5732 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  * CVE-2026-5734 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:

         openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 68 vulnerabilities and has 2 bug fixes can now be installed.

Description:

This update for MozillaThunderbird fixes the following issues:

Changes in MozillaThunderbird:

- Mozilla Thunderbird 140.10.0 ESR
  * Newly translated strings were not available in Thunderbird
  MFSA 2026-34 (bsc#1262230)
  * CVE-2026-6746 Use-after-free in the DOM: Core & HTML component
  * CVE-2026-6747 Use-after-free in the WebRTC component
  * CVE-2026-6748 Uninitialized memory in the Audio/Video: Web Codecs component
  * CVE-2026-6749 Information disclosure due to uninitialized memory in the Graphics: Canvas2D
component
  * CVE-2026-6750 Privilege escalation in the Graphics: WebRender component
  * CVE-2026-6751 Uninitialized memory in the Audio/Video: Web Codecs component
  * CVE-2026-6752 Incorrect boundary conditions in the WebRTC component
  * CVE-2026-6753 Incorrect boundary conditions in the WebRTC component
  * CVE-2026-6754 Use-after-free in the JavaScript Engine component
  * CVE-2026-6757 Invalid pointer in the JavaScript: WebAssembly component
  * CVE-2026-6759 Use-after-free in the Widget: Cocoa component
  * CVE-2026-6761 Privilege escalation in the Networking component
  * CVE-2026-6762 Spoofing issue in the DOM: Core & HTML component
  * CVE-2026-6763 Mitigation bypass in the File Handling component
  * CVE-2026-6764 Incorrect boundary conditions in the DOM: Device Interfaces component
  * CVE-2026-6765 Information disclosure in the Form Autofill component
  * CVE-2026-6766 Incorrect boundary conditions in the Libraries component in NSS
  * CVE-2026-6767 Other issue in the Libraries component in NSS
  * CVE-2026-6769 Privilege escalation in the Debugger component
  * CVE-2026-6770 Other issue in the Storage: IndexedDB component
  * CVE-2026-6771 Mitigation bypass in the DOM: Security component
  * CVE-2026-6772 Incorrect boundary conditions in the Libraries component in NSS
  * CVE-2026-6776 Incorrect boundary conditions in the WebRTC: Networking component
  * CVE-2026-6785 Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird
ESR 140.10, Firefox 150 and Thunderbird 150
  * CVE-2026-6786 Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox
150 and Thunderbird 150

- Mozilla Thunderbird 140.9.1 ESR
  MFSA 2026-29
  * CVE-2026-5732 Incorrect boundary conditions, integer overflow in the Graphics: Text component
  * CVE-2026-5731 Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1,
Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2
  * CVE-2026-5734 Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox
149.0.2 and Thunderbird 149.0.2

- Mozilla Thunderbird 140.9.0 ESR
  MFSA 2026-24 (bsc#1260083)
  * CVE-2026-3889 Spoofing issue in Thunderbird
  * CVE-2026-4371 Out of bounds read in IMAP parsing
  * CVE-2026-4684 Race condition, use-after-free in the Graphics: WebRender component
  * CVE-2026-4685 Incorrect boundary conditions in the Graphics: Canvas2D component
  * CVE-2026-4686 Incorrect boundary conditions in the Graphics: Canvas2D component
  * CVE-2026-4687 Sandbox escape due to incorrect boundary conditions in the Telemetry component
  * CVE-2026-4688 Sandbox escape due to use-after-free in the Disability Access APIs component
  * CVE-2026-4689 Sandbox escape due to incorrect boundary conditions, integer overflow in the
XPCOM component
  * CVE-2026-4690 Sandbox escape due to incorrect boundary conditions, integer overflow in the
XPCOM component
  * CVE-2026-4691 Use-after-free in the CSS Parsing and Computation component
  * CVE-2026-4692 Sandbox escape in the Responsive Design Mode component
  * CVE-2026-4693 Incorrect boundary conditions in the Audio/Video: Playback component
  * CVE-2026-4694 Incorrect boundary conditions, integer overflow in the Graphics component
  * CVE-2026-4695 Incorrect boundary conditions in the Audio/Video: Web Codecs component
  * CVE-2026-4696 Use-after-free in the Layout: Text and Fonts component
  * CVE-2026-4697 Incorrect boundary conditions in the Audio/Video: Web Codecs component
  * CVE-2026-4698 JIT miscompilation in the JavaScript Engine: JIT component
  * CVE-2026-4699 Incorrect boundary conditions in the Layout: Text and Fonts component
  * CVE-2026-4700 Mitigation bypass in the Networking: HTTP component
  * CVE-2026-4701 Use-after-free in the JavaScript Engine component
  * CVE-2026-4702 JIT miscompilation in the JavaScript Engine component
  * CVE-2026-4704 Denial-of-service in the WebRTC: Signaling component
  * CVE-2026-4705 Undefined behavior in the WebRTC: Signaling component
  * CVE-2026-4706 Incorrect boundary conditions in the Graphics: Canvas2D component
  * CVE-2026-4707 Incorrect boundary conditions in the Graphics: Canvas2D component
  * CVE-2026-4708 Incorrect boundary conditions in the Graphics component
  * CVE-2026-4709 Incorrect boundary conditions in the Audio/Video: GMP component
  * CVE-2026-4710 Incorrect boundary conditions in the Audio/Video component
  * CVE-2026-4711 Use-after-free in the Widget: Cocoa component
  * CVE-2026-4712 Information disclosure in the Widget: Cocoa component
  * CVE-2026-4713 Incorrect boundary conditions in the Graphics component
  * CVE-2026-4714 Incorrect boundary conditions in the Audio/Video component
  * CVE-2026-4715 Uninitialized memory in the Graphics: Canvas2D component
  * CVE-2026-4716 Incorrect boundary conditions, uninitialized memory in the JavaScript Engine
component
  * CVE-2026-4717 Privilege escalation in the Netmonitor component
  * CVE-2025-59375 Denial-of-service in the XML component
  * CVE-2026-4718 Undefined behavior in the WebRTC: Signaling component
  * CVE-2026-4719 Incorrect boundary conditions in the Graphics: Text component
  * CVE-2026-4720 Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149
and Thunderbird 149
  * CVE-2026-4721 Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird
ESR 140.9, Firefox 149 and Thunderbird 149


Patch instructions:

   To install this openSUSE security update use the suse recommended installation methods
   like YaST online_update or "zypper patch".
   Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

   zypper in -t patch openSUSE-Leap-16.0-packagehub-230=1

Package List:

- openSUSE Leap 16.0:

  MozillaThunderbird-140.10.0-bp160.1.1
  MozillaThunderbird-openpgp-librnp-140.10.0-bp160.1.1
  MozillaThunderbird-translations-common-140.10.0-bp160.1.1
  MozillaThunderbird-translations-other-140.10.0-bp160.1.1

References:

  * https://www.suse.com/security/cve/CVE-2025-59375.html
  * https://www.suse.com/security/cve/CVE-2026-3889.html
  * https://www.suse.com/security/cve/CVE-2026-4371.html
  * https://www.suse.com/security/cve/CVE-2026-4684.html
  * https://www.suse.com/security/cve/CVE-2026-4685.html
  * https://www.suse.com/security/cve/CVE-2026-4686.html
  * https://www.suse.com/security/cve/CVE-2026-4687.html
  * https://www.suse.com/security/cve/CVE-2026-4688.html
  * https://www.suse.com/security/cve/CVE-2026-4689.html
  * https://www.suse.com/security/cve/CVE-2026-4690.html
  * https://www.suse.com/security/cve/CVE-2026-4691.html
  * https://www.suse.com/security/cve/CVE-2026-4692.html
  * https://www.suse.com/security/cve/CVE-2026-4693.html
  * https://www.suse.com/security/cve/CVE-2026-4694.html
  * https://www.suse.com/security/cve/CVE-2026-4695.html
  * https://www.suse.com/security/cve/CVE-2026-4696.html
  * https://www.suse.com/security/cve/CVE-2026-4697.html
  * https://www.suse.com/security/cve/CVE-2026-4698.html
  * https://www.suse.com/security/cve/CVE-2026-4699.html
  * https://www.suse.com/security/cve/CVE-2026-4700.html
  * https://www.suse.com/security/cve/CVE-2026-4701.html
  * https://www.suse.com/security/cve/CVE-2026-4702.html
  * https://www.suse.com/security/cve/CVE-2026-4704.html
  * https://www.suse.com/security/cve/CVE-2026-4705.html
  * https://www.suse.com/security/cve/CVE-2026-4706.html
  * https://www.suse.com/security/cve/CVE-2026-4707.html
  * https://www.suse.com/security/cve/CVE-2026-4708.html
  * https://www.suse.com/security/cve/CVE-2026-4709.html
  * https://www.suse.com/security/cve/CVE-2026-4710.html
  * https://www.suse.com/security/cve/CVE-2026-4711.html
  * https://www.suse.com/security/cve/CVE-2026-4712.html
  * https://www.suse.com/security/cve/CVE-2026-4713.html
  * https://www.suse.com/security/cve/CVE-2026-4714.html
  * https://www.suse.com/security/cve/CVE-2026-4715.html
  * https://www.suse.com/security/cve/CVE-2026-4716.html
  * https://www.suse.com/security/cve/CVE-2026-4717.html
  * https://www.suse.com/security/cve/CVE-2026-4718.html
  * https://www.suse.com/security/cve/CVE-2026-4719.html
  * https://www.suse.com/security/cve/CVE-2026-4720.html
  * https://www.suse.com/security/cve/CVE-2026-4721.html
  * https://www.suse.com/security/cve/CVE-2026-5731.html
  * https://www.suse.com/security/cve/CVE-2026-5732.html
  * https://www.suse.com/security/cve/CVE-2026-5734.html
  * https://www.suse.com/security/cve/CVE-2026-6746.html
  * https://www.suse.com/security/cve/CVE-2026-6747.html
  * https://www.suse.com/security/cve/CVE-2026-6748.html
  * https://www.suse.com/security/cve/CVE-2026-6749.html
  * https://www.suse.com/security/cve/CVE-2026-6750.html
  * https://www.suse.com/security/cve/CVE-2026-6751.html
  * https://www.suse.com/security/cve/CVE-2026-6752.html
  * https://www.suse.com/security/cve/CVE-2026-6753.html
  * https://www.suse.com/security/cve/CVE-2026-6754.html
  * https://www.suse.com/security/cve/CVE-2026-6757.html
  * https://www.suse.com/security/cve/CVE-2026-6759.html
  * https://www.suse.com/security/cve/CVE-2026-6761.html
  * https://www.suse.com/security/cve/CVE-2026-6762.html
  * https://www.suse.com/security/cve/CVE-2026-6763.html
  * https://www.suse.com/security/cve/CVE-2026-6764.html
  * https://www.suse.com/security/cve/CVE-2026-6765.html
  * https://www.suse.com/security/cve/CVE-2026-6766.html
  * https://www.suse.com/security/cve/CVE-2026-6767.html
  * https://www.suse.com/security/cve/CVE-2026-6769.html
  * https://www.suse.com/security/cve/CVE-2026-6770.html
  * https://www.suse.com/security/cve/CVE-2026-6771.html
  * https://www.suse.com/security/cve/CVE-2026-6772.html
  * https://www.suse.com/security/cve/CVE-2026-6776.html
  * https://www.suse.com/security/cve/CVE-2026-6785.html
  * https://www.suse.com/security/cve/CVE-2026-6786.html
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds