Thunderbird <149 Vulnerable Parser Reads OOB via Malformed Mail (CVE-2026-4371)
CVE-2026-4371 Published on March 24, 2026

Out of bounds read in IMAP parsing
A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction, potentially crashing Thunderbird or leaking sensitive data. This vulnerability affects Thunderbird < 149 and Thunderbird < 140.9.

NVD

Products Associated with CVE-2026-4371

Want to know whenever a new CVE is published for Mozilla Thunderbird? stack.watch will email you.

Mozilla Thunderbird

Affected Versions

Mozilla Thunderbird:

Version unspecified and below 149 is affected.

Mozilla Thunderbird:

Version unspecified and below 140.9 is affected.

Thunderbird <149 Vulnerable Parser Reads OOB via Malformed Mail (CVE-2026-4371)CVE-2026-4371 Published on March 24, 2026

Products Associated with CVE-2026-4371

Affected Versions

Thunderbird <149 Vulnerable Parser Reads OOB via Malformed Mail (CVE-2026-4371)
CVE-2026-4371 Published on March 24, 2026