OpenPGP Padding Vulnerability in Thunderbird by Mozilla
CVE-2025-26695

5.3MEDIUM

Key Information:

Vendor: Mozilla
Status: Thunderbird
Vendor: CVE Published:; 10 March 2025

What is CVE-2025-26695?

In Thunderbird, an incorrect padding size utilized when requesting an OpenPGP key from a WKD server can lead to information disclosure. This flaw may allow a network observer to infer the length of the requested email address, potentially compromising user privacy. Affected versions include Thunderbird versions below 136 and 128.8, necessitating prompt updates to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Thunderbird < 136

Thunderbird < 128.8

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1883039

https://www.mozilla.org/security/advisories/mfsa2025-17/

https://www.mozilla.org/security/advisories/mfsa2025-18/

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 10, 2025
Vulnerability Reserved
Feb 13, 2025

Credit

Daniel Huigens

JSON

Mozilla