Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN477 _____________________________________________________________________ DATE : 11/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Thunderbird versions prior to 150.0.2, 140.10.2. ===================================================================== https://www.mozilla.org/en-US/security/advisories/mfsa2026-43/ https://www.mozilla.org/en-US/security/advisories/mfsa2026-44/ _____________________________________________________________________ Mozilla Foundation Security Advisory 2026-43 Security Vulnerabilities fixed in Thunderbird 150.0.2 Announced May 8, 2026 Impact high Products Thunderbird Fixed in Thunderbird 150.0.2 In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. #CVE-2026-8090: Use-after-free in the DOM: Networking component Reporter Kevin Brosnan Impact high References Bug 2034352 #CVE-2026-8092: Memory safety bugs fixed in Thunderbird ESR 140.10.2 and Thunderbird 150.0.2 Reporter Andrew McCreight, Christian Holler, Lee Salzman, Maurice Dauer, Tom Schuster, Wayne Mery and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Thunderbird ESR 140.10.2 and Thunderbird 150.0.2 #CVE-2026-8093: Memory safety bugs fixed in Thunderbird 150.0.2 Reporter Andy Leiserson, Jan de Mooij, Michael Froman and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Thunderbird 150.0.2 _____________________________________________________________________ Mozilla Foundation Security Advisory 2026-44 Security Vulnerabilities fixed in Thunderbird 140.10.2 Announced May 8, 2026 Impact high Products Thunderbird Fixed in Thunderbird 140.10.2 In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. #CVE-2026-8090: Use-after-free in the DOM: Networking component Reporter Kevin Brosnan Impact high References Bug 2034352 #CVE-2026-8094: Other issue in the WebRTC component Reporter Michael Froman Impact high References Bug 2035939 #CVE-2026-8092: Memory safety bugs fixed in Thunderbird ESR 140.10.2 and Thunderbird 150.0.2 Reporter Andrew McCreight, Christian Holler, Lee Salzman, Maurice Dauer, Tom Schuster, Wayne Mery and the Mozilla Fuzzing Team Impact high Description Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References Memory safety bugs fixed in Thunderbird ESR 140.10.2 and Thunderbird 150.0.2 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================