RLSA-2025:8756

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

• thunderbird: JavaScript Execution via Spoofed PDF Attachment and file:/// Link (CVE-2025-3909)

• thunderbird: Sender Spoofing via Malformed From Header in Thunderbird (CVE-2025-3875)

• thunderbird: Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links (CVE-2025-3877)

• thunderbird: Tracking Links in Attachments Bypassed Remote Content Blocking (CVE-2025-3932)

• firefox: thunderbird: Out-of-bounds access when resolving Promise objects (CVE-2025-4918)

• firefox: thunderbird: Out-of-bounds access when optimizing linear sums (CVE-2025-4919)

• firefox: thunderbird: Clickjacking vulnerability could have led to leaking saved payment card details (CVE-2025-5267)

• firefox: thunderbird: Potential local code execution in ?Copy as cURL? command (CVE-2025-5264)

• firefox: thunderbird: Memory safety bugs (CVE-2025-5268)

• firefox: thunderbird: Script element events leaked cross-origin resource status (CVE-2025-5266)

• firefox: thunderbird: Error handling for script execution was incorrectly isolated from web content (CVE-2025-5263)

• firefox: thunderbird: Memory safety bug (CVE-2025-5269)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.