Buffer Overflow Vulnerability in Thunderbird by Mozilla
CVE-2026-4371

7.4HIGH

Key Information:

Vendor: Mozilla
Status: Thunderbird
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-4371?

A vulnerability exists in Thunderbird that allows a malicious mail server to send malformed strings with negative lengths, leading to potential buffer overflow conditions. This may cause the mail parser to read beyond the buffer limits, resulting in application crashes or the leakage of sensitive information. The affected versions of Thunderbird include those prior to 149 and 140.9. Users are advised to ensure their software is updated to mitigate risks associated with this vulnerability.

Affected Version(s)

Thunderbird < 149

Thunderbird < 140.9

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2023493

https://www.mozilla.org/security/advisories/mfsa2026-23/

https://www.mozilla.org/security/advisories/mfsa2026-24/

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 18, 2026

Credit

Rintaro Kobayashi

CVE-2026-4371 Data

JSON