CVE-2026-7323
Description
Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory safety bugs in Thunderbird ESR 140.10.0 and 150.0.0 could allow arbitrary code execution via memory corruption; fixed in 140.10.1 and 150.0.1.
Vulnerability
CVE-2026-7323 is a memory safety vulnerability affecting Thunderbird ESR 140. The bug was present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. The Mozilla Fuzzing Team, along with researchers Ryan Hunt and Steve Fink, identified evidence of memory corruption in these versions [1][2].
Exploitation
These flaws cannot be exploited through email in Thunderbird because scripting is disabled when reading mail. However, they are potentially exploitable in browser or browser-like contexts [1][2]. An attacker would need to convince a user to interact with malicious content in a context where scripting is enabled, such as viewing an HTML email with external content or using Thunderbird's built-in browser features.
Impact
If successfully exploited, an attacker could achieve arbitrary code execution on the affected system. The vulnerability is rated High severity with a CVSS v3 score of 7.3 [1][2].
Mitigation
Mozilla has fixed this vulnerability in Thunderbird 150.0.1 and Thunderbird ESR 140.10.1. Users should update to these versions or later to mitigate the risk [1][2][3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <150.0.1
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <140.10.1
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <150.0.1
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <140.10.1
- Range: =150.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.mozilla.org/security/advisories/mfsa2026-35/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-36/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-38/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-39/nvdVendor Advisory
- bugzilla.mozilla.org/buglist.cginvdBroken Link
News mentions
23- Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation FlawsThe Hacker News · May 18, 2026
- Debian 13.5 point release lands with security fixes, bug patchesHelp Net Security · May 17, 2026
- How Dangerous Is Anthropic’s Mythos AI?Schneier on Security · May 14, 2026
- Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbitsThe Register Security · May 13, 2026
- Patch Tuesday, May 2026 EditionKrebs on Security · May 12, 2026
- Mozilla boasts Mythos boosted Firefox bug cullThe Register Security · May 7, 2026
- Proton Mail brings quantum-safe email encryption to all accountsHelp Net Security · May 6, 2026
- Cleartext Passwords in MS Edge? In 2026?, (Mon, May 4th)SANS Internet Storm Center · May 5, 2026
- CloudZ RAT potentially steals OTP messages using Pheno pluginCisco Talos Intelligence · May 5, 2026
- ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & MoreThe Hacker News · May 4, 2026
- Copy Fail (CVE-2026-31431): Frequently asked questions about Linux kernel privilege escalation vulnerabilityTenable Blog · Apr 30, 2026
- Legacy TLS tour continues with Exchange Online blocking old versions from July 2026The Register Security · Apr 29, 2026
- Claude Mythos Has Found 271 Zero-Days in FirefoxSchneier on Security · Apr 29, 2026
- VECT: Ransomware by design, Wiper by accidentCheck Point Research · Apr 28, 2026
- AI's not going to kill open source code securityThe Register Security · Apr 26, 2026
- Risky Business #834 -- Vercel gets owned, Mozilla dumps hundreds of Mythos bugsRisky Business · Apr 22, 2026
- DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the ProxyCheck Point Research · Apr 20, 2026
- Metasploit Wrap-Up 04/17/2026Rapid7 Blog · Apr 17, 2026
- Shared Dictionaries: compression that keeps up with the agentic webCloudflare Blog · Apr 17, 2026
- Attackers Actively Exploiting Critical Vulnerability in Ninja Forms – File Upload PluginWordfence Blog · Apr 16, 2026
- Securing the Software Supply Chain: How SentinelOne’s AI EDR Autonomously Blocked the CPU-Z Watering Hole Cyber AttackSentinelOne Labs · Apr 14, 2026
- Microsoft Patch Tuesday, March 2026 EditionKrebs on Security · Mar 11, 2026
- Siemens TeamcenterCISA Alerts