CVE-2026-4371: Out of bounds read in IMAP parsing
A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction, potentially crashing Thunderbird or leaking sensitive data.
Affected Software
Event History
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2026-3889
- CVE-2026-4371
- CVE-2026-4684
- CVE-2026-4685
- CVE-2026-4686
- CVE-2026-4687
- CVE-2026-4688
- CVE-2026-4689
- CVE-2026-4690
- CVE-2026-4691
- CVE-2026-4692
- CVE-2026-4693
- CVE-2026-4694
- CVE-2026-4695
- CVE-2026-4696
- CVE-2026-4697
- CVE-2026-4698
- CVE-2026-4699
- CVE-2026-4700
- CVE-2026-4701
- CVE-2026-4702
- CVE-2026-4704
- CVE-2026-4705
- CVE-2026-4706
- CVE-2026-4707
- CVE-2026-4708
- CVE-2026-4709
- CVE-2026-4710
- CVE-2026-4711
- CVE-2026-4712
- CVE-2026-4713
- CVE-2026-4714
- CVE-2026-4715
- CVE-2026-4716
- CVE-2026-4717
- CVE-2025-59375
- CVE-2026-4718
- CVE-2026-4719
- CVE-2026-4720
- CVE-2026-4721
- CVE-2026-4722
- CVE-2026-4723
- CVE-2026-4724
- CVE-2026-4725
- CVE-2026-4726
- CVE-2026-4727
- CVE-2026-4728
- CVE-2026-4729
Frequently Asked Questions
What is the severity of CVE-2026-4371?
CVE-2026-4371 is classified as a critical vulnerability due to its potential to cause crashes and allow memory reading outside of the buffer.
How do I fix CVE-2026-4371?
To address CVE-2026-4371, update your Mozilla Thunderbird to the latest version beyond 149.
Who is affected by CVE-2026-4371?
CVE-2026-4371 affects users of Mozilla Thunderbird versions earlier than 140.9.
What kind of attack does CVE-2026-4371 enable?
CVE-2026-4371 allows a malicious mail server to send crafted messages that can cause buffer overflows, leading to application crashes.
Is there any workaround for CVE-2026-4371?
Currently, the only recommended action for CVE-2026-4371 is to ensure that you are running the latest secure version of Mozilla Thunderbird.