OpenPGP Padding Vulnerability in Thunderbird by Mozilla
CVE-2025-26695

5.3MEDIUM

Key Information:

Vendor: Mozilla
Status: Thunderbird
Vendor: CVE Published:; 10 March 2025

Summary

In Thunderbird, an incorrect padding size utilized when requesting an OpenPGP key from a WKD server can lead to information disclosure. This flaw may allow a network observer to infer the length of the requested email address, potentially compromising user privacy. Affected versions include Thunderbird versions below 136 and 128.8, necessitating prompt updates to mitigate this risk.

Affected Version(s)

Thunderbird < 136

Thunderbird < 128.8

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1883039

https://www.mozilla.org/security/advisories/mfsa2025-17/

https://www.mozilla.org/security/advisories/mfsa2025-18/

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 10, 2025
Vulnerability Reserved
Feb 13, 2025

Credit

Daniel Huigens