Thunderbird: 25 CVEs Disclosed in Single Advisory, Two Critical DOM Bypasses

Key findings

• 25 CVEs disclosed in a single coordinated advisory on June 16, 2026
• Two Critical-rated DOM Security mitigation bypasses (CVE-2026-12316, CVE-2026-12315) at CVSS 9.1
• Eight High-severity memory safety bugs, including CVE-2026-12328 at CVSS 8.1
• Bugs span sandboxing, password manager, WebAssembly, NSS, and graphics components
• All flaws fixed in Thunderbird 152 and Thunderbird ESR 140.12
• No evidence of active exploitation reported at time of disclosure

Mozilla shipped a coordinated security update for Thunderbird on June 16, 2026, disclosing 25 CVEs in a single advisory — two of them rated Critical (CVSSv3 9.1) and eight rated High — spanning memory safety bugs, DOM security bypasses, sandbox escapes, and denial-of-service flaws across the email client's core components. The batch was fixed in Thunderbird 152 and Thunderbird ESR 140.12, with some older ESR branches also receiving patches.

Two Critical DOM Security Bypasses

The most severe vulnerabilities in the batch are CVE-2026-12316 and CVE-2026-12315, both rated CVSSv3 9.1 and described as mitigation bypasses in the DOM: Security component. These flaws could allow an attacker to bypass key browser-level security mechanisms, potentially enabling code execution or privilege escalation. The pair was fixed in Thunderbird 152 and, for CVE-2026-12315, also in Thunderbird ESR 140.12.

Eight High-Severity Memory Safety Bugs

Eight High-rated CVEs involve memory safety bugs that Mozilla says "showed evidence of memory corruption" and could be exploited to run arbitrary code. CVE-2026-12328 (CVSS 8.1) is the highest-rated among them, affecting Thunderbird ESR 140.11 and Thunderbird 151. The other High memory safety bugs — CVE-2026-12327, CVE-2026-12317, CVE-2026-12314, CVE-2026-12312, CVE-2026-12310, CVE-2026-12305, and CVE-2026-12318 (the last in the NSS library) — were all fixed in Thunderbird 152 and Thunderbird ESR 140.12.

Sandbox Escapes and Information Disclosure

Two Medium-severity CVEs — CVE-2026-12313 and CVE-2026-12311 (both CVSS 4.7) — affect the Security: Process Sandboxing component, combining information disclosure with sandbox escape potential. Separately, CVE-2026-12320 (CVSS 4.3) exposes an information disclosure path in the Password Manager component, which could leak stored credentials.

Denial-of-Service and Graphics Flaws

CVE-2026-12325 (CVSS 6.5) causes a denial-of-service condition in the Graphics: ImageLib component, while CVE-2026-12319 (CVSS 6.5) does the same in Audio/Video: Playback. CVE-2026-12324 (CVSS 7.3, High) is an incorrect boundary condition in Graphics: CanvasWebGL that could lead to memory corruption.

Spoofing, Clickjacking, and JIT Miscompilation

CVE-2026-12323 (CVSS 5.4) is a spoofing issue in DOM: Core & HTML, CVE-2026-12322 (CVSS 5.4) is a clickjacking flaw in the Widget: Gtk component, and CVE-2026-12321 (CVSS 5.4) is a JIT miscompilation in JavaScript: WebAssembly. All three were fixed in Thunderbird 152.

Patch Status and Mitigations

All 25 CVEs are addressed in Thunderbird 152 and Thunderbird ESR 140.12. Users still on the older Thunderbird ESR 115 branch received fixes for a subset of bugs, including CVE-2026-12330 and CVE-2026-12325. Mozilla's advisory notes no evidence of active exploitation at the time of disclosure Vypr Intelligence. Users are strongly advised to update to the latest versions immediately.

Why This Batch Matters

This is one of the largest single-day security disclosures for Thunderbird in recent memory, packing two critical DOM bypasses, a cluster of memory-corruption bugs, and sandbox escapes into one release. For organizations relying on Thunderbird for email, the update to version 152 or ESR 140.12 is urgent — the breadth of attack surfaces touched (from password storage to WebAssembly to NSS) means the batch collectively lowers the bar for remote compromise.