CVE-2026-4371

Published: Mar 24, 2026

Modified: Apr 13, 2026

PUBLISHED

Description

A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction, potentially crashing Thunderbird or leaking sensitive data. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.

Vendor	Product	Versions
Mozilla	Thunderbird	unaffected `140.9 - <= 140.` unaffected `149 - <= `

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2023493

https://www.mozilla.org/security/advisories/mfsa2026-23/

https://www.mozilla.org/security/advisories/mfsa2026-24/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-4371

Description

Affected Products

References