CVE-2025-26696: Crafted email message incorrectly shown as being encrypted
Published Mar 4, 2025
·Updated
Certain crafted MIME email messages that claimed to contain an encrypted OpenPGP message, which instead contained an OpenPGP signed message, were wrongly shown as being encrypted.
Affected Software
5 affected componentsFixes available
Mozilla Thunderbird<136, <128.8
Mozilla Thunderbird<136
136
Mozilla Thunderbird<128.8
128.8
Mozilla Thunderbird<128.8.0
Mozilla Thunderbird>=129.0<136.0
Event History
Mar 4, 2025
CVE Published
via Mozilla·12:00 AM
Mar 10, 2025
CVE Published
via MITRE·06:41 PM
Data Sourced
via MITRE·06:41 PM
Description
Data Sourced
via NVD·07:15 PM
DescriptionSeverityWeaknessAffected Software
Peer vulnerabilities
Found alongside the following vulnerabilities.
Frequently Asked Questions
1
What is the severity of CVE-2025-26696?
CVE-2025-26696 has been classified as a moderate severity vulnerability.
2
How do I fix CVE-2025-26696?
To fix CVE-2025-26696, users should upgrade to Thunderbird version 136 or later, or 128.8 or later.
3
What is the impact of CVE-2025-26696 on affected software?
CVE-2025-26696 may lead to users mistakenly believing that an OpenPGP signed message is encrypted, which could compromise the integrity of sensitive communications.
4
Which versions of Thunderbird are affected by CVE-2025-26696?
Thunderbird versions prior to 136 and prior to 128.8 are affected by CVE-2025-26696.
5
What type of messages does CVE-2025-26696 affect?
CVE-2025-26696 affects crafted MIME email messages that claim to contain encrypted OpenPGP messages.