Advisories ยป MGASA-2026-0164

Updated thunderbird(-l10n) packages fix security vulnerabilities

Publication date: 29 May 2026
Modification date: 29 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-8388 , CVE-2026-8391 , CVE-2026-8401 , CVE-2026-8946 , CVE-2026-8947 , CVE-2026-8950 , CVE-2026-8953 , CVE-2026-8954 , CVE-2026-8955 , CVE-2026-8956 , CVE-2026-8957 , CVE-2026-8958 , CVE-2026-8961 , CVE-2026-8962 , CVE-2026-8968 , CVE-2026-8970 , CVE-2026-8974 , CVE-2026-8975

Description

The updated packages fix security vulnerabilities:
Incorrect boundary conditions in the Audio/Video: Web Codecs component.
(CVE-2026-8946)
Incorrect boundary conditions in the JavaScript Engine: JIT component.
(CVE-2026-8388)
Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-8947)
Other issue in the JavaScript Engine component. (CVE-2026-8391)
Sandbox escape in the Profile Backup component. (CVE-2026-8401)
Same-origin policy bypass in the Networking: HTTP component.
(CVE-2026-8950)
Sandbox escape due to use-after-free in the Disability Access APIs
component. (CVE-2026-8953)
Incorrect boundary conditions, integer overflow in the Audio/Video
component. (CVE-2026-8954)
Privilege escalation in the DOM: Workers component. (CVE-2026-8955)
Integer overflow in the Networking: JAR component. (CVE-2026-8956)
Privilege escalation in the Enterprise Policies component.
(CVE-2026-8957)
Information disclosure, sandbox escape in the Security: Process
Sandboxing component. (CVE-2026-8958)
Spoofing issue in the Form Autofill component. (CVE-2026-8961)
Mitigation bypass in the DOM: Security component. (CVE-2026-8962)
Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs
component. (CVE-2026-8968)
Privilege escalation in the Security component. (CVE-2026-8970)
Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151.
(CVE-2026-8974)
Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151.
(CVE-2026-8975)

References

SRPMS

9/core