Red Hat Product Errata RHSA-2026:13533 - Security Advisory Issued: 2026-05-04 Updated: 2026-05-04 RHSA-2026:13533 - Security Advisory Overview Updated Packages Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for thunderbird is now available for Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fix(es): libpng: libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416) libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636) thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5734) thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 (CVE-2026-5731) firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component (CVE-2026-5732) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64 Red Hat Enterprise Linux Server - AUS 9.4 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.4 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.4 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.4 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.4 s390x Fixes BZ - 2451805 - CVE-2026-33416 libpng: libpng: Arbitrary code execution due to use-after-free vulnerability BZ - 2451819 - CVE-2026-33636 libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion BZ - 2455897 - CVE-2026-5734 thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 BZ - 2455901 - CVE-2026-5731 thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2 BZ - 2455908 - CVE-2026-5732 firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics: Text component CVEs CVE-2026-5731 CVE-2026-5732 CVE-2026-5734 CVE-2026-33416 CVE-2026-33636 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 SRPM thunderbird-140.9.1-1.el9_4.src.rpm SHA-256: b52d258f808be68e2c7df07267db0fb6e4a94b7ca7ff2e9d1a4e74277ed7fd1e x86_64 thunderbird-140.9.1-1.el9_4.x86_64.rpm SHA-256: 72d0bf6960e493725f9b2f2bd9ed62ca0fbb995a9bfbda0ee44ac4e7e15c1dc6 thunderbird-debuginfo-140.9.1-1.el9_4.x86_64.rpm SHA-256: 437836c24daae047c8e601e8c81c685ec4192621d213028ce302973b630b8f9e thunderbird-debugsource-140.9.1-1.el9_4.x86_64.rpm SHA-256: a215dda9ec3d3565589b80527f452d8c271447d144bede12df103f896d576814 Red Hat Enterprise Linux Server - AUS 9.4 SRPM thunderbird-140.9.1-1.el9_4.src.rpm SHA-256: b52d258f808be68e2c7df07267db0fb6e4a94b7ca7ff2e9d1a4e74277ed7fd1e x86_64 thunderbird-140.9.1-1.el9_4.x86_64.rpm SHA-256: 72d0bf6960e493725f9b2f2bd9ed62ca0fbb995a9bfbda0ee44ac4e7e15c1dc6 thunderbird-debuginfo-140.9.1-1.el9_4.x86_64.rpm SHA-256: 437836c24daae047c8e601e8c81c685ec4192621d213028ce302973b630b8f9e thunderbird-debugsource-140.9.1-1.el9_4.x86_64.rpm SHA-256: a215dda9ec3d3565589b80527f452d8c271447d144bede12df103f896d576814 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 SRPM thunderbird-140.9.1-1.el9_4.src.rpm SHA-256: b52d258f808be68e2c7df07267db0fb6e4a94b7ca7ff2e9d1a4e74277ed7fd1e s390x thunderbird-140.9.1-1.el9_4.s390x.rpm SHA-256: 241b9eaf8a823898d545867b61ef1bbe698eca0ccacc562c68b3421691c1d900 thunderbird-debuginfo-140.9.1-1.el9_4.s390x.rpm SHA-256: 81e9e71db661a7f246479325ac511d0bd7d349267f99b9ed48676d0fa27551ba thunderbird-debugsource-140.9.1-1.el9_4.s390x.rpm SHA-256: db736a1fb7683a037718be0a824877a9c0e6191d3a81ff177a1953a8f2c4698c Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 SRPM thunderbird-140.9.1-1.el9_4.src.rpm SHA-256: b52d258f808be68e2c7df07267db0fb6e4a94b7ca7ff2e9d1a4e74277ed7fd1e ppc64le thunderbird-140.9.1-1.el9_4.ppc64le.rpm SHA-256: 36b809af4f7239b188c54dcc31e81d0ebd0f534f1dca4961f3994719deaefa0f thunderbird-debuginfo-140.9.1-1.el9_4.ppc64le.rpm SHA-256: 7edaa0163ca9deb0f180c7045a42f2786427af1fe928e373a078850cd33781c9 thunderbird-debugsource-140.9.1-1.el9_4.ppc64le.rpm SHA-256: 537f4cdde9c64cf69dff80b26612ea4c03dbc25b35f2de52c2d766aaf89b8e3d Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 SRPM thunderbird-140.9.1-1.el9_4.src.rpm SHA-256: b52d258f808be68e2c7df07267db0fb6e4a94b7ca7ff2e9d1a4e74277ed7fd1e aarch64 thunderbird-140.9.1-1.el9_4.aarch64.rpm SHA-256: 640c6a36bb00183656f6ecc9fb55abcdbea822074e3322c01935b37fb76558ef thunderbird-debuginfo-140.9.1-1.el9_4.aarch64.rpm SHA-256: 5ab9ff1e6eda1472f3239d016faec2308bc1951af664ca2f3cdb85e578ae8f31 thunderbird-debugsource-140.9.1-1.el9_4.aarch64.rpm SHA-256: 22ebd3bcf07a4759b841129c97790ac52585942a74209d26df759354c2a9dd1f Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 SRPM thunderbird-140.9.1-1.el9_4.src.rpm SHA-256: b52d258f808be68e2c7df07267db0fb6e4a94b7ca7ff2e9d1a4e74277ed7fd1e ppc64le thunderbird-140.9.1-1.el9_4.ppc64le.rpm SHA-256: 36b809af4f7239b188c54dcc31e81d0ebd0f534f1dca4961f3994719deaefa0f thunderbird-debuginfo-140.9.1-1.el9_4.ppc64le.rpm SHA-256: 7edaa0163ca9deb0f180c7045a42f2786427af1fe928e373a078850cd33781c9 thunderbird-debugsource-140.9.1-1.el9_4.ppc64le.rpm SHA-256: 537f4cdde9c64cf69dff80b26612ea4c03dbc25b35f2de52c2d766aaf89b8e3d Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 SRPM thunderbird-140.9.1-1.el9_4.src.rpm SHA-256: b52d258f808be68e2c7df07267db0fb6e4a94b7ca7ff2e9d1a4e74277ed7fd1e x86_64 thunderbird-140.9.1-1.el9_4.x86_64.rpm SHA-256: 72d0bf6960e493725f9b2f2bd9ed62ca0fbb995a9bfbda0ee44ac4e7e15c1dc6 thunderbird-debuginfo-140.9.1-1.el9_4.x86_64.rpm SHA-256: 437836c24daae047c8e601e8c81c685ec4192621d213028ce302973b630b8f9e thunderbird-debugsource-140.9.1-1.el9_4.x86_64.rpm SHA-256: a215dda9ec3d3565589b80527f452d8c271447d144bede12df103f896d576814 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 SRPM thunderbird-140.9.1-1.el9_4.src.rpm SHA-256: b52d258f808be68e2c7df07267db0fb6e4a94b7ca7ff2e9d1a4e74277ed7fd1e aarch64 thunderbird-140.9.1-1.el9_4.aarch64.rpm SHA-256: 640c6a36bb00183656f6ecc9fb55abcdbea822074e3322c01935b37fb76558ef thunderbird-debuginfo-140.9.1-1.el9_4.aarch64.rpm SHA-256: 5ab9ff1e6eda1472f3239d016faec2308bc1951af664ca2f3cdb85e578ae8f31 thunderbird-debugsource-140.9.1-1.el9_4.aarch64.rpm SHA-256: 22ebd3bcf07a4759b841129c97790ac52585942a74209d26df759354c2a9dd1f Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 SRPM thunderbird-140.9.1-1.el9_4.src.rpm SHA-256: b52d258f808be68e2c7df07267db0fb6e4a94b7ca7ff2e9d1a4e74277ed7fd1e s390x thunderbird-140.9.1-1.el9_4.s390x.rpm SHA-256: 241b9eaf8a823898d545867b61ef1bbe698eca0ccacc562c68b3421691c1d900 thunderbird-debuginfo-140.9.1-1.el9_4.s390x.rpm SHA-256: 81e9e71db661a7f246479325ac511d0bd7d349267f99b9ed48676d0fa27551ba thunderbird-debugsource-140.9.1-1.el9_4.s390x.rpm SHA-256: db736a1fb7683a037718be0a824877a9c0e6191d3a81ff177a1953a8f2c4698c Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.4 SRPM thunderbird-140.9.1-1.el9_4.src.rpm SHA-256: b52d258f808be68e2c7df07267db0fb6e4a94b7ca7ff2e9d1a4e74277ed7fd1e x86_64 thunderbird-140.9.1-1.el9_4.x86_64.rpm SHA-256: 72d0bf6960e493725f9b2f2bd9ed62ca0fbb995a9bfbda0ee44ac4e7e15c1dc6 thunderbird-debuginfo-140.9.1-1.el9_4.x86_64.rpm SHA-256: 437836c24daae047c8e601e8c81c685ec4192621d213028ce302973b630b8f9e thunderbird-debugsource-140.9.1-1.el9_4.x86_64.rpm SHA-256: a215dda9ec3d3565589b80527f452d8c271447d144bede12df103f896d576814 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.4 SRPM thunderbird-140.9.1-1.el9_4.src.rpm SHA-256: b52d258f808be68e2c7df07267db0fb6e4a94b7ca7ff2e9d1a4e74277ed7fd1e aarch64 thunderbird-140.9.1-1.el9_4.aarch64.rpm SHA-256: 640c6a36bb00183656f6ecc9fb55abcdbea822074e3322c01935b37fb76558ef thunderbird-debuginfo-140.9.1-1.el9_4.aarch64.rpm SHA-256: 5ab9ff1e6eda1472f3239d016faec2308bc1951af664ca2f3cdb85e578ae8f31 thunderbird-debugsource-140.9.1-1.el9_4.aarch64.rpm SHA-256: 22ebd3bcf07a4759b841129c97790ac52585942a74209d26df759354c2a9dd1f Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.