CVE-2026-8973

Vulnerability

Multiple memory safety bugs are present in Thunderbird 150, as described in Mozilla Foundation Security Advisories [1] [2]. These bugs showed evidence of memory corruption and, with enough effort, could be exploited to run arbitrary code. The affected product is Thunderbird version 150. The issue is fixed in Thunderbird 151, released on May 19, 2026.

Exploitation

An attacker can potentially exploit these memory corruption vulnerabilities by delivering crafted content. In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but they are potentially risks in browser or browser-like contexts [2]. The specific subset of bugs covered by CVE-2026-8973 is not detailed individually, but the advisory notes that some bugs showed evidence of memory corruption, suggesting remote code execution is possible with enough effort.

Impact

Successful exploitation could lead to arbitrary code execution in the context of the vulnerable application, allowing an attacker to compromise user data, install malware, or perform other malicious actions. The overall impact is rated high with a CVSS v3 score of 8.8.

Mitigation

The vulnerability is fixed in Thunderbird 151 [2]. Users should update to Thunderbird 151 or later. There are no known workarounds; updating is the recommended mitigation.