{"id":"RLSA-2026:29940","summary":"Important: thunderbird security update","details":"Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nSecurity Fix(es):\n\n* firefox: thunderbird: Sandbox escape in the DOM: Workers component (CVE-2026-12294)\n\n* firefox: thunderbird: Information disclosure, sandbox escape in the Security: Process Sandboxing component (CVE-2026-12313)\n\n* firefox: thunderbird: Information disclosure, sandbox escape in the Security: Process Sandboxing component (CVE-2026-12311)\n\n* firefox: thunderbird: Memory safety bug fixed in Thunderbird ESR 140.12 (CVE-2026-12290)\n\n* firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.12, Thunderbird ESR 140.12, Firefox 152 and Thunderbird 152 (CVE-2026-12327)\n\n* firefox: thunderbird: JIT miscompilation in the DOM: Core & HTML component (CVE-2026-12299)\n\n* firefox: thunderbird: Memory safety bug fixed in Thunderbird ESR 140.12 (CVE-2026-12329)\n\n* firefox: thunderbird: Memory safety bug fixed in Thunderbird ESR 140.12 (CVE-2026-12312)\n\n* firefox: thunderbird: Mitigation bypass in the DOM: Security component (CVE-2026-12302)\n\n* firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.37, Firefox ESR 140.12, Thunderbird ESR 140.12, Firefox 152 and Thunderbird 152 (CVE-2026-12328)\n\n* firefox: thunderbird: Incorrect boundary conditions in the Internationalization component (CVE-2026-12330)\n\n* firefox: thunderbird: Memory safety bug fixed in Thunderbird ESR 140.12 (CVE-2026-12314)\n\n* firefox: thunderbird: Memory safety bug fixed in Thunderbird ESR 140.12 (CVE-2026-12309)\n\n* firefox: thunderbird: Memory safety bug fixed in Thunderbird ESR 140.12 (CVE-2026-12310)\n\n* firefox: thunderbird: Denial-of-service in the Graphics: ImageLib component (CVE-2026-12325)\n\n* firefox: thunderbird: Sandbox escape in the DOM: Navigation component (CVE-2026-12295)\n\n* firefox: thunderbird: Privilege escalation in the Graphics: WebRender component (CVE-2026-12289)\n\n* firefox: thunderbird: Mitigation bypass in the DOM: Security component (CVE-2026-12315)\n\n* firefox: thunderbird: Sandbox escape in the Security: Process Sandboxing component (CVE-2026-12296)\n\n* firefox: thunderbird: Memory safety bug fixed in Thunderbird ESR 140.12 (CVE-2026-12306)\n\n* firefox: thunderbird: Memory safety bug fixed in Thunderbird ESR 140.12 (CVE-2026-12307)\n\n* firefox: thunderbird: Sandbox escape due to incorrect boundary conditions in the Networking component (CVE-2026-12297)\n\n* firefox: thunderbird: Memory safety bug fixed in Thunderbird ESR 140.12 (CVE-2026-12305)\n\n* firefox: thunderbird: Incorrect boundary conditions in the Web Audio component (CVE-2026-12292)\n\n* firefox: thunderbird: Memory safety bug fixed in Thunderbird ESR 140.12 (CVE-2026-12308)\n\n* firefox: thunderbird: Incorrect boundary conditions in the Graphics: CanvasWebGL component (CVE-2026-12324)\n\n* firefox: thunderbird: Same-origin policy bypass in the Networking: Cookies component (CVE-2026-12304)\n\n* firefox: thunderbird: Use-after-free in the Networking: HTTP component (CVE-2026-12291)\n\n* firefox: thunderbird: Memory safety bug fixed in Firefox ESR 140.12 (CVE-2026-12298)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.","modified":"2026-06-26T12:30:07.043443545Z","published":"2026-06-26T12:03:13.137376Z","upstream":["CVE-2026-12289","CVE-2026-12290","CVE-2026-12291","CVE-2026-12292","CVE-2026-12294","CVE-2026-12295","CVE-2026-12296","CVE-2026-12297","CVE-2026-12298","CVE-2026-12299","CVE-2026-12302","CVE-2026-12304","CVE-2026-12305","CVE-2026-12306","CVE-2026-12307","CVE-2026-12308","CVE-2026-12309","CVE-2026-12310","CVE-2026-12311","CVE-2026-12312","CVE-2026-12313","CVE-2026-12314","CVE-2026-12315","CVE-2026-12324","CVE-2026-12325","CVE-2026-12327","CVE-2026-12328","CVE-2026-12329","CVE-2026-12330"],"references":[{"type":"ADVISORY","url":"https://errata.rockylinux.org/RLSA-2026:29940"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489207"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489208"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489209"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489210"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489211"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489212"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489214"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489215"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489217"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489218"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489220"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489221"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489223"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489224"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489225"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489226"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489229"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489231"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489232"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489233"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489234"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489235"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489236"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489237"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489239"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489240"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489243"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489244"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2489248"}],"affected":[{"package":{"name":"thunderbird","ecosystem":"Rocky Linux:9","purl":"pkg:rpm/rocky-linux/thunderbird?distro=rocky-linux-9&epoch=0"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:140.12.0-1.el9_8"}],"database_specific":{"yum_repository":"AppStream"}}],"database_specific":{"source":"https://storage.googleapis.com/resf-osv-data/RLSA-2026:29940.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"credits":[{"name":"Rocky Enterprise Software Foundation"},{"name":"Red Hat"}]}