CVE-2026-4371

High

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0006 18.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction,…

potentially crashing Thunderbird or leaking sensitive data. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the buffer over-read vulnerability by requiring timely remediation through patching Thunderbird to fixed versions 149 or 140.9.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms like ASLR and DEP to prevent exploitation of buffer over-reads that could lead to crashes or sensitive data leaks.

SI-10 Information Input Validation partial match

prevent

Requires validation of malformed input strings with negative lengths from mail servers to block the trigger for the parser's buffer over-read.

Security SummaryAI

CVE-2026-4371 is a buffer over-read vulnerability (CWE-126) in Thunderbird's mail parser, triggered by malformed strings with negative lengths sent from a malicious mail server. This causes the parser to read memory outside the allocated buffer. The issue affects Thunderbird versions prior to 149 and 140.9, with a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H). It was published on 2026-03-24.

An attacker controlling a mail server or a compromised connection to a mail server that Thunderbird connects to can exploit this remotely with high attack complexity and no privileges required. Successful exploitation could cause the parser to malfunction, potentially leading to Thunderbird crashes (availability impact) or leakage of sensitive data from memory (confidentiality impact), though no integrity impact is possible.

Mozilla's security advisories (MFSA 2026-23 and MFSA 2026-24) and the associated Bugzilla entry (bug 2023493) confirm the fix in Thunderbird 149 and Thunderbird 140.9, recommending users update to these patched versions for mitigation. No workarounds are specified in the provided details.

Details

CWE(s): CWE-126

Affected Products

mozilla

thunderbird

≤ 140.9.0 · ≤ 149.0

MITRE ATT&CK Enterprise TechniquesAI

T1212 Exploitation for Credential Access Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Buffer over-read enables memory data leakage (potentially credentials via T1212) and application crashes via direct exploitation (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2023493
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-24/
Vendor Advisory · security@mozilla.org