CVE-2026-8974
Description
Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory safety bugs in Thunderbird 140.10 and 150 could allow arbitrary code execution; fixed in Thunderbird 151 and 140.11.
Vulnerability
Memory safety bugs were present in Thunderbird versions 140.10 and 150 [1][2][3]. The official description states that these bugs showed evidence of memory corruption, and it is presumed that with enough effort some could have been exploited to run arbitrary code. The vulnerabilities were fixed in Thunderbird 151 and Thunderbird 140.11 [1][2][3][4].
Exploitation
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but they are potentially risks in browser or browser-like contexts [2][3]. An attacker would need to convince a user to interact with malicious content in a context where scripting is enabled.
Impact
Successful exploitation could allow an attacker to run arbitrary code, leading to memory corruption and potential full compromise of the application [1]. The impact is rated as high with a CVSS v3 score of 8.8.
Mitigation
Users should update to Thunderbird 151 or Thunderbird 140.11, which were released on May 19, 2026, to address these vulnerabilities [1][2][3][4]. No workarounds are mentioned; updating is the recommended mitigation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=140.10,<140.11
- Range: <=140.10, <=150
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.mozilla.org/security/advisories/mfsa2026-46/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-48/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-50/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-51/nvdVendor Advisory
- bugzilla.mozilla.org/buglist.cginvdBroken Link
News mentions
0No linked articles in our index yet.