Title of the patch: Security update for MozillaThunderbird

---

Description of the patch: This update for MozillaThunderbird fixes the following issues: Changes in MozillaThunderbird: - Mozilla Thunderbird 140.12.0 ESR MFSA 2026-61 (bsc#1268071) * CVE-2026-12289 (bmo#2023443) Privilege escalation in the Graphics: WebRender component * CVE-2026-12290 (bmo#2024852) Memory safety bug fixed in Thunderbird ESR 140.12 * CVE-2026-12291 (bmo#2036929) Use-after-free in the Networking: HTTP component * CVE-2026-12292 (bmo#2038465) Incorrect boundary conditions in the Web Audio component * CVE-2026-12294 (bmo#2039873) Sandbox escape in the DOM: Workers component * CVE-2026-12295 (bmo#2040160) Sandbox escape in the DOM: Navigation component * CVE-2026-12298 (bmo#2041981) Memory safety bug fixed in Thunderbird ESR 140.12 * CVE-2026-12296 (bmo#2040515) Sandbox escape in the Security: Process Sandboxing component * CVE-2026-12297 (bmo#2041610) Sandbox escape due to incorrect boundary conditions in the Networking component * CVE-2026-12299 (bmo#2043139) JIT miscompilation in the DOM: Core & HTML component * CVE-2026-12329 (bmo#2044738) Memory safety bug fixed in Thunderbird ESR 140.12 * CVE-2026-12302 (bmo#2034489) Mitigation bypass in the DOM: Security component * CVE-2026-12304 (bmo#2034944) Same-origin policy bypass in the Networking: Cookies component * CVE-2026-12305 (bmo#2037290) Memory safety bug fixed in Thunderbird ESR 140.12 * CVE-2026-12306 (bmo#2037323) Memory safety bug fixed in Thunderbird ESR 140.12 * CVE-2026-12307 (bmo#2038133) Memory safety bug fixed in Thunderbird ESR 140.12 * CVE-2026-12308 (bmo#2038302) Memory safety bug fixed in Thunderbird ESR 140.12 * CVE-2026-12309 (bmo#2038476) Memory safety bug fixed in Thunderbird ESR 140.12 * CVE-2026-12310 (bmo#2039707) Memory safety bug fixed in Thunderbird ESR 140.12 * CVE-2026-12311 (bmo#2040177) Information disclosure, sandbox escape in the Security: Process Sandboxing component * CVE-2026-12312 (bmo#2040383) Memory safety bug fixed in Thunderbird ESR 140.12 * CVE-2026-12313 (bmo#2040477) Information disclosure, sandbox escape in the Security: Process Sandboxing component * CVE-2026-12314 (bmo#2041856) Memory safety bug fixed in Thunderbird ESR 140.12 * CVE-2026-12315 (bmo#2042058) Mitigation bypass in the DOM: Security component * CVE-2026-12330 (bmo#2029326) Incorrect boundary conditions in the Internationalization component * CVE-2026-12324 (bmo#2038444) Incorrect boundary conditions in the Graphics: CanvasWebGL component * CVE-2026-12325 (bmo#2039443) Denial-of-service in the Graphics: ImageLib component * CVE-2026-12327 (bmo#2011842, bmo#2023902, bmo#2025512, bmo#2027312, bmo#2029444, bmo#2036571, bmo#2036900, bmo#2036936, bmo#2037995, bmo#2038551, bmo#2040717, bmo#2042724) Memory safety bugs fixed in Firefox ESR 140.12, Thunderbird ESR 140.12, Firefox 152 and Thunderbird 152 * CVE-2026-12328 (bmo#2029402, bmo#2038477, bmo#2039726, bmo#2041373, bmo#2042268, bmo#2042451, bmo#2042782, bmo#2042858, bmo#2042929, bmo#2042965, bmo#2043213) Memory safety bugs fixed in Firefox ESR 115.37, Firefox ESR 140.12, Thunderbird ESR 140.12, Firefox 152 and Thunderbird 152 - Mozilla Thunderbird 140.11.0 ESR MFSA 2026-51 (bsc#1265212) * CVE-2026-8946 (bmo#2029070) Incorrect boundary conditions in the Audio/Video: Web Codecs component * CVE-2026-8388 (bmo#2036978) Incorrect boundary conditions in the JavaScript Engine: JIT component * CVE-2026-8947 (bmo#2038439) Use-after-free in the DOM: Bindings (WebIDL) component * CVE-2026-8391 (bmo#2038575) Other issue in the JavaScript Engine component * CVE-2026-8401 (bmo#2038679) Sandbox escape in the Profile Backup component * CVE-2026-8949 (bmo#1355639) Integer overflow in the Widget: Win32 component * CVE-2026-8950 (bmo#1965430) Same-origin policy bypass in the Networking: HTTP component * CVE-2026-8953 (bmo#2029511) Sandbox escape due to use-after-free in the Disability Access APIs component * CVE-2026-8954 (bmo#2030747) Incorrect boundary conditions, integer overflow in the Audio/Video component * CVE-2026-8955 (bmo#2031064) Privilege escalation in the DOM: Workers component * CVE-2026-8956 (bmo#2032427) Integer overflow in the Networking: JAR component * CVE-2026-8957 (bmo#2033850) Privilege escalation in the Enterprise Policies component * CVE-2026-8958 (bmo#2034713) Information disclosure, sandbox escape in the Security: Process Sandboxing component * CVE-2026-8959 (bmo#2034754) Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component * CVE-2026-8961 (bmo#1962625) Spoofing issue in the Form Autofill component * CVE-2026-8962 (bmo#2004804) Mitigation bypass in the DOM: Security component * CVE-2026-8968 (bmo#2030467) Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component * CVE-2026-8970 (bmo#2032174) Privilege escalation in the Security component * CVE-2026-8974 (bmo#1784128, bmo#1883230, bmo#1983677, bmo#2022390, bmo#2023116, bmo#2023657, bmo#2024255, bmo#2024418, bmo#2024441, bmo#2024447, bmo#2024966, bmo#2025412, bmo#2025467, bmo#2025940, bmo#2025950, bmo#2025956, bmo#2026284, bmo#2027247, bmo#2027255, bmo#2027288, bmo#2027306, bmo#2027322, bmo#2027332, bmo#2027333, bmo#2028266, bmo#2028292, bmo#2028319, bmo#2028526, bmo#2028870, bmo#2028876, bmo#2028882, bmo#2029062, bmo#2029309, bmo#2029414, bmo#2029422, bmo#2029428, bmo#2029447, bmo#2029732, bmo#2029785, bmo#2029793, bmo#2029813, bmo#2029899, bmo#2031028, bmo#2031457, bmo#2032039, bmo#2033610, bmo#2033854, bmo#2034498, bmo#2034628, bmo#2034978, bmo#2035966, bmo#2036668, bmo#2036905, bmo#2036930) Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151 * CVE-2026-8975 (bmo#1860195, bmo#2029325, bmo#2029429, bmo#2029910, bmo#2035915, bmo#2038669, bmo#2038678) Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151 - Mozilla Thunderbird 140.10.2 MFSA 2026-44 (bsc#1264378) * CVE-2026-8090 (bmo#2034352) Use-after-free in the DOM: Networking component * CVE-2026-8094 (bmo#2035939) Other issue in the WebRTC component * CVE-2026-8092 (bmo#1806249, bmo#2021977, bmo#2022576, bmo#2022722, bmo#2024439, bmo#2027883, bmo#2029463, bmo#2030323, bmo#2032042, bmo#2032043, bmo#2033270, bmo#2033637, bmo#2034422, bmo#2034496, bmo#2035879, bmo#2036516) Memory safety bugs fixed in Thunderbird ESR 140.10.2 and Thunderbird 150.0.2 - Mozilla Thunderbird 140.10.1 ESR MFSA 2026-39 (bsc#1263110) * CVE-2026-7320 (bmo#2027433) Information disclosure due to incorrect boundary conditions in the Audio/Video component * CVE-2026-7321 (bmo#2029461) Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component * CVE-2026-7322 (bmo#2021904, bmo#2022731, bmo#2027158, bmo#2027733, bmo#2027973, bmo#2027976, bmo#2028231, bmo#2028731, bmo#2028886, bmo#2029067, bmo#2029700, bmo#2029724, bmo#2029806, bmo#2029814, bmo#2030108, bmo#2030111, bmo#2031524, bmo#2031921, bmo#2032040) Memory safety bugs fixed in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1 * CVE-2026-7323 (bmo#2028537, bmo#2029911, bmo#2031121, bmo#2033602) Memory safety bugs fixed in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1

---

Patchnames: openSUSE-Leap-16.0-packagehub-363

---

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).