CVE-2026-8975
Description
Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory safety bugs in Thunderbird 140.10 and 150 could lead to arbitrary code execution when scripting is enabled.
Vulnerability
CVE-2026-8975 is a collection of memory safety bugs present in Thunderbird versions 140.10 and 150. These bugs showed evidence of memory corruption, and Mozilla presumes that with enough effort some of them could have been exploited to run arbitrary code. The vulnerability also affected Firefox 140.10 and Firefox 150. Affected versions include Thunderbird 140.10 and Thunderbird 150. [1][2][3]
Exploitation
In the Thunderbird product, these flaws cannot be exploited through email because scripting is disabled when reading mail. However, they are potentially exploitable in browser or browser-like contexts where scripting is enabled. No further details on the specific attack vector or required conditions have been provided in the available references. [2][3]
Impact
Successful exploitation could allow an attacker to achieve arbitrary code execution, leading to full compromise of the affected system. The impact is rated as high by Mozilla. [1][2]
Mitigation
The vulnerability was fixed in Thunderbird 151 and Thunderbird 140.11, released on May 19, 2026. Users should update to these versions or later. Mozilla also fixed the issue in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11. [1][2][3][4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=140.10, <=150
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.mozilla.org/security/advisories/mfsa2026-46/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-47/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-48/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-50/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-51/nvdVendor Advisory
- bugzilla.mozilla.org/buglist.cginvdPermissions Required
News mentions
0No linked articles in our index yet.