Updated thunderbird packages fix security vulnerabilities
Publication date: 09 May 2026Modification date: 09 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-6746 , CVE-2026-6747 , CVE-2026-6748 , CVE-2026-6749 , CVE-2026-6750 , CVE-2026-6751 , CVE-2026-6752 , CVE-2026-6753 , CVE-2026-6754 , CVE-2026-6757 , CVE-2026-6759 , CVE-2026-6761 , CVE-2026-6762 , CVE-2026-6763 , CVE-2026-6764 , CVE-2026-6765 , CVE-2026-6769
Description
Use-after-free in the DOM: Core & HTML component. (CVE-2026-6746)
Use-after-free in the WebRTC component. (CVE-2026-6747)
Uninitialized memory in the Audio/Video: Web Codecs component.
(CVE-2026-6748)
Information disclosure due to uninitialized memory in the Graphics:
Canvas2D component. (CVE-2026-6749)
Privilege escalation in the Graphics: WebRender component.
(CVE-2026-6750)
Uninitialized memory in the Audio/Video: Web Codecs component.
(CVE-2026-6751)
Incorrect boundary conditions in the WebRTC component. (CVE-2026-6752)
Incorrect boundary conditions in the WebRTC component. (CVE-2026-6753)
Use-after-free in the JavaScript Engine component. (CVE-2026-6754)
Invalid pointer in the JavaScript: WebAssembly component.
(CVE-2026-6757)
Use-after-free in the Widget: Cocoa component. (CVE-2026-6759)
Privilege escalation in the Networking component. (CVE-2026-6761)
Spoofing issue in the DOM: Core & HTML component. (CVE-2026-6762)
Mitigation bypass in the File Handling component. (CVE-2026-6763)
Incorrect boundary conditions in the DOM: Device Interfaces component.
(CVE-2026-6764)
Information disclosure in the Form Autofill component. (CVE-2026-6765)
Privilege escalation in the Debugger component. (CVE-2026-6769)
Other issue in the Storage: IndexedDB component. (CVE-2026-6770)
Mitigation bypass in the DOM: Security component. (CVE-2026-6771)
Incorrect boundary conditions in the WebRTC: Networking component.
(CVE-2026-6776)
Memory safety bugs fixed in Firefox ESR 115.35, Firefox ESR 140.10,
Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150. (CVE-2026-6785)
Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10,
Firefox 150 and Thunderbird 150. (CVE-2026-6786)
Information disclosure due to incorrect boundary conditions in the
Audio/Video component. (CVE-2026-7320)
Sandbox escape due to incorrect boundary conditions in the WebRTC:
Networking component. (CVE-2026-7321)
Memory safety bugs fixed in Memory safety bugs fixed in Thunderbird ESR
140.10.1 and Thunderbird 150.0.1. (CVE-2026-7322)
Memory safety bugs fixed in Thunderbird ESR 140.10.1 and Thunderbird
150.0.1. (CVE-2026-7323)
References
- https://bugs.mageia.org/show_bug.cgi?id=35404
- https://www.thunderbird.net/en-US/thunderbird/140.10.0esr/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2026-34/
- https://www.thunderbird.net/en-US/thunderbird/140.10.1esr/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2026-39/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6746
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6747
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6748
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6749
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6750
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6751
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6752
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6753
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6754
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6757
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6759
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6761
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6762
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6763
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6764
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6765
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-6769
SRPMS
9/core
- thunderbird-140.10.1-1.mga9
- thunderbird-l10n-140.10.1-1.mga9