Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20046-1 Final 1 1 2026-01-16T12:09:04Z current 2026-01-16T12:09:04Z 2026-01-16T12:09:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird fixes the following issues: Changes in MozillaThunderbird: - Mozilla Thunderbird 140.6.0 ESR MFSA 2025-96 (bsc#1254551) * CVE-2025-14321 (bmo#1992760) Use-after-free in the WebRTC: Signaling component * CVE-2025-14322 (bmo#1996473) Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component * CVE-2025-14323 (bmo#1996555) Privilege escalation in the DOM: Notifications component * CVE-2025-14324 (bmo#1996840) JIT miscompilation in the JavaScript Engine: JIT component * CVE-2025-14325 (bmo#1998050) JIT miscompilation in the JavaScript Engine: JIT component * CVE-2025-14328 (bmo#1996761) Privilege escalation in the Netmonitor component * CVE-2025-14329 (bmo#1997018) Privilege escalation in the Netmonitor component * CVE-2025-14330 (bmo#1997503) JIT miscompilation in the JavaScript Engine: JIT component * CVE-2025-14331 (bmo#2000218) Same-origin policy bypass in the Request Handling component * CVE-2025-14333 (bmo#1966501, bmo#1997639) Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-packagehub-72 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1254551 SUSE Bug 1254551 https://www.suse.com/security/cve/CVE-2025-14321/ SUSE CVE CVE-2025-14321 page https://www.suse.com/security/cve/CVE-2025-14322/ SUSE CVE CVE-2025-14322 page https://www.suse.com/security/cve/CVE-2025-14323/ SUSE CVE CVE-2025-14323 page https://www.suse.com/security/cve/CVE-2025-14324/ SUSE CVE CVE-2025-14324 page https://www.suse.com/security/cve/CVE-2025-14325/ SUSE CVE CVE-2025-14325 page https://www.suse.com/security/cve/CVE-2025-14328/ SUSE CVE CVE-2025-14328 page https://www.suse.com/security/cve/CVE-2025-14329/ SUSE CVE CVE-2025-14329 page https://www.suse.com/security/cve/CVE-2025-14330/ SUSE CVE CVE-2025-14330 page https://www.suse.com/security/cve/CVE-2025-14331/ SUSE CVE CVE-2025-14331 page https://www.suse.com/security/cve/CVE-2025-14333/ SUSE CVE CVE-2025-14333 page openSUSE Leap 16.0 MozillaThunderbird-140.6.0-bp160.1.1 MozillaThunderbird-openpgp-librnp-140.6.0-bp160.1.1 MozillaThunderbird-translations-common-140.6.0-bp160.1.1 MozillaThunderbird-translations-other-140.6.0-bp160.1.1 MozillaThunderbird-140.6.0-bp160.1.1 as a component of openSUSE Leap 16.0 MozillaThunderbird-openpgp-librnp-140.6.0-bp160.1.1 as a component of openSUSE Leap 16.0 MozillaThunderbird-translations-common-140.6.0-bp160.1.1 as a component of openSUSE Leap 16.0 MozillaThunderbird-translations-other-140.6.0-bp160.1.1 as a component of openSUSE Leap 16.0 Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. CVE-2025-14321 openSUSE Leap 16.0:MozillaThunderbird-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.6.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-14321.html CVE-2025-14321 https://bugzilla.suse.com/1254551 SUSE Bug 1254551 Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. CVE-2025-14322 openSUSE Leap 16.0:MozillaThunderbird-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.6.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-14322.html CVE-2025-14322 https://bugzilla.suse.com/1254551 SUSE Bug 1254551 Privilege escalation in the DOM: Notifications component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. CVE-2025-14323 openSUSE Leap 16.0:MozillaThunderbird-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.6.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-14323.html CVE-2025-14323 https://bugzilla.suse.com/1254551 SUSE Bug 1254551 JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. CVE-2025-14324 openSUSE Leap 16.0:MozillaThunderbird-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.6.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-14324.html CVE-2025-14324 https://bugzilla.suse.com/1254551 SUSE Bug 1254551 JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. CVE-2025-14325 openSUSE Leap 16.0:MozillaThunderbird-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.6.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-14325.html CVE-2025-14325 https://bugzilla.suse.com/1254551 SUSE Bug 1254551 Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. CVE-2025-14328 openSUSE Leap 16.0:MozillaThunderbird-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.6.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-14328.html CVE-2025-14328 https://bugzilla.suse.com/1254551 SUSE Bug 1254551 Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. CVE-2025-14329 openSUSE Leap 16.0:MozillaThunderbird-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.6.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-14329.html CVE-2025-14329 https://bugzilla.suse.com/1254551 SUSE Bug 1254551 JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. CVE-2025-14330 openSUSE Leap 16.0:MozillaThunderbird-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.6.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-14330.html CVE-2025-14330 https://bugzilla.suse.com/1254551 SUSE Bug 1254551 Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. CVE-2025-14331 openSUSE Leap 16.0:MozillaThunderbird-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.6.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-14331.html CVE-2025-14331 https://bugzilla.suse.com/1254551 SUSE Bug 1254551 Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. CVE-2025-14333 openSUSE Leap 16.0:MozillaThunderbird-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-openpgp-librnp-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-common-140.6.0-bp160.1.1 openSUSE Leap 16.0:MozillaThunderbird-translations-other-140.6.0-bp160.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-14333.html CVE-2025-14333 https://bugzilla.suse.com/1254551 SUSE Bug 1254551