CVE-2026-4371
Received Received - Intake
Buffer Overflow in Thunderbird Mail Parser Causes Crash, Data Leak

Publication date: 2026-03-24

Last updated on: 2026-04-13

Assigner: Mozilla Corporation

Description
A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction, potentially crashing Thunderbird or leaking sensitive data. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4371
EUVD
EUVD-2026-15023
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mozilla thunderbird to 149.0 (exc)
mozilla thunderbird to 140.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-126 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves a malicious mail server sending malformed strings with negative lengths to Thunderbird's parser.

These malformed strings cause the parser to read memory outside the intended buffer, which can lead to malfunction.

If a mail server or connection to a mail server is compromised, an attacker could exploit this to crash Thunderbird or leak sensitive data.

The vulnerability affects Thunderbird versions earlier than 149 and earlier than 140.9.

Impact Analysis

An attacker exploiting this vulnerability could cause Thunderbird to crash, disrupting email communication.

More seriously, the attacker could leak sensitive data by causing the parser to read memory outside the buffer.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4371. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart