Red Hat Product Errata RHSA-2026:11813 - Security Advisory Issued: 2026-04-29 Updated: 2026-04-29 RHSA-2026:11813 - Security Advisory Overview Updated Packages Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for thunderbird is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fix(es): libpng: libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416) libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636) thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5734) thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5731) firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component (CVE-2026-5732) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 Fixes BZ - 2451805 - CVE-2026-33416 libpng: libpng: Arbitrary code execution due to use-after-free vulnerability BZ - 2451819 - CVE-2026-33636 libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion BZ - 2455897 - CVE-2026-5734 thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 BZ - 2455901 - CVE-2026-5731 thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 BZ - 2455908 - CVE-2026-5732 firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component CVEs CVE-2026-5731 CVE-2026-5732 CVE-2026-5734 CVE-2026-33416 CVE-2026-33636 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 SRPM thunderbird-140.9.1-1.el10_0.src.rpm SHA-256: 4fc5e98e85a5967e2d18f170a7ab15a4e5a3fb616908d9b8deee46e90edbd792 x86_64 thunderbird-140.9.1-1.el10_0.x86_64.rpm SHA-256: 983f898305b15864aa3a2eac9f71d0d9e68132fdde672d23ee84140d28ece474 thunderbird-debuginfo-140.9.1-1.el10_0.x86_64.rpm SHA-256: ddc3e51428690a7808b103138114a3abf0ef1a0100cf06c7f40d7bca18989f9f thunderbird-debugsource-140.9.1-1.el10_0.x86_64.rpm SHA-256: c8e9eb68066fff38eb194b4ba3058bb25ca2432e77c7c6f52cac42402083f20c Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 SRPM thunderbird-140.9.1-1.el10_0.src.rpm SHA-256: 4fc5e98e85a5967e2d18f170a7ab15a4e5a3fb616908d9b8deee46e90edbd792 s390x thunderbird-140.9.1-1.el10_0.s390x.rpm SHA-256: 3e04b041f2761b29e6f1c7a7451929578fc0ca5f50ce590f8200732b27c931f6 thunderbird-debuginfo-140.9.1-1.el10_0.s390x.rpm SHA-256: 6c7b27067dbc32dbdb19958260797e5daddf24669f43be07ef1fe5e698569113 thunderbird-debugsource-140.9.1-1.el10_0.s390x.rpm SHA-256: 306ba1eb07726ad6b9ba543ccceb608307d29ad830c14db431428bf888dd9f6c Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 SRPM thunderbird-140.9.1-1.el10_0.src.rpm SHA-256: 4fc5e98e85a5967e2d18f170a7ab15a4e5a3fb616908d9b8deee46e90edbd792 ppc64le thunderbird-140.9.1-1.el10_0.ppc64le.rpm SHA-256: 69ca4c8d9938a93682fe9df93e1fea79f1076928de4312da57442f39404f55e0 thunderbird-debuginfo-140.9.1-1.el10_0.ppc64le.rpm SHA-256: 6fdaf2531b99309bb919f6ab38831f539740c27f59e20b0a7dc2e763eb45f614 thunderbird-debugsource-140.9.1-1.el10_0.ppc64le.rpm SHA-256: 638bb9d263281acb061221a6ef6ab6dde6d7ab1f76cbfd056d1fe54175c74c97 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 SRPM thunderbird-140.9.1-1.el10_0.src.rpm SHA-256: 4fc5e98e85a5967e2d18f170a7ab15a4e5a3fb616908d9b8deee46e90edbd792 aarch64 thunderbird-140.9.1-1.el10_0.aarch64.rpm SHA-256: 74c78491f06b69c932734e32922696200c42a12c9cc737583b76aace42c155c4 thunderbird-debuginfo-140.9.1-1.el10_0.aarch64.rpm SHA-256: bd2c80145b1c06c4f74a91e9bc91356f06de14d15fc1268d8c425d098bdd506d thunderbird-debugsource-140.9.1-1.el10_0.aarch64.rpm SHA-256: bdc3356654f607bd758c79108f79b8e9deda14cdcaf430d5523911111dcedeec Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 SRPM thunderbird-140.9.1-1.el10_0.src.rpm SHA-256: 4fc5e98e85a5967e2d18f170a7ab15a4e5a3fb616908d9b8deee46e90edbd792 aarch64 thunderbird-140.9.1-1.el10_0.aarch64.rpm SHA-256: 74c78491f06b69c932734e32922696200c42a12c9cc737583b76aace42c155c4 thunderbird-debuginfo-140.9.1-1.el10_0.aarch64.rpm SHA-256: bd2c80145b1c06c4f74a91e9bc91356f06de14d15fc1268d8c425d098bdd506d thunderbird-debugsource-140.9.1-1.el10_0.aarch64.rpm SHA-256: bdc3356654f607bd758c79108f79b8e9deda14cdcaf430d5523911111dcedeec Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 SRPM thunderbird-140.9.1-1.el10_0.src.rpm SHA-256: 4fc5e98e85a5967e2d18f170a7ab15a4e5a3fb616908d9b8deee46e90edbd792 s390x thunderbird-140.9.1-1.el10_0.s390x.rpm SHA-256: 3e04b041f2761b29e6f1c7a7451929578fc0ca5f50ce590f8200732b27c931f6 thunderbird-debuginfo-140.9.1-1.el10_0.s390x.rpm SHA-256: 6c7b27067dbc32dbdb19958260797e5daddf24669f43be07ef1fe5e698569113 thunderbird-debugsource-140.9.1-1.el10_0.s390x.rpm SHA-256: 306ba1eb07726ad6b9ba543ccceb608307d29ad830c14db431428bf888dd9f6c Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 SRPM thunderbird-140.9.1-1.el10_0.src.rpm SHA-256: 4fc5e98e85a5967e2d18f170a7ab15a4e5a3fb616908d9b8deee46e90edbd792 ppc64le thunderbird-140.9.1-1.el10_0.ppc64le.rpm SHA-256: 69ca4c8d9938a93682fe9df93e1fea79f1076928de4312da57442f39404f55e0 thunderbird-debuginfo-140.9.1-1.el10_0.ppc64le.rpm SHA-256: 6fdaf2531b99309bb919f6ab38831f539740c27f59e20b0a7dc2e763eb45f614 thunderbird-debugsource-140.9.1-1.el10_0.ppc64le.rpm SHA-256: 638bb9d263281acb061221a6ef6ab6dde6d7ab1f76cbfd056d1fe54175c74c97 Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 SRPM thunderbird-140.9.1-1.el10_0.src.rpm SHA-256: 4fc5e98e85a5967e2d18f170a7ab15a4e5a3fb616908d9b8deee46e90edbd792 x86_64 thunderbird-140.9.1-1.el10_0.x86_64.rpm SHA-256: 983f898305b15864aa3a2eac9f71d0d9e68132fdde672d23ee84140d28ece474 thunderbird-debuginfo-140.9.1-1.el10_0.x86_64.rpm SHA-256: ddc3e51428690a7808b103138114a3abf0ef1a0100cf06c7f40d7bca18989f9f thunderbird-debugsource-140.9.1-1.el10_0.x86_64.rpm SHA-256: c8e9eb68066fff38eb194b4ba3058bb25ca2432e77c7c6f52cac42402083f20c The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .