This Important Red Hat security update addresses multiple high-severity vulnerabilities in Thunderbird for RHEL 8, including memory safety bugs (CVE-2026-7323, CVSS 7.3), an information disclosure in the Audio/Video component (CVE-2026-7320, CVSS 7.5), and a sandbox escape in WebRTC Networking (CVE-2026-7321). Affected versions are Thunderbird prior to 140.10.1 and 150.0.1, as detailed in the NVD data. The remediation is to apply the provided Red Hat package update, which upgrades Thunderbird to a fixed version.
Red Hat Product Errata RHSA-2026:20586 - Security Advisory Issued: 2026-05-26 Updated: 2026-05-26 RHSA-2026:20586 - Security Advisory Overview Updated Packages Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fix(es): firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1 (CVE-2026-7323) firefox: thunderbird: Information disclosure due to incorrect boundary conditions in the Audio/Video component (CVE-2026-7320) firefox: thunderbird: Memory safety bugs fixed in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1 (CVE-2026-7322) firefox: thunderbird: webrtc: Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component (CVE-2026-7321) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 8 x86_64 Red Hat Enterprise Linux for IBM z Systems 8 s390x Red Hat Enterprise Linux for Power, little endian 8 ppc64le Red Hat Enterprise Linux for ARM 64 8 aarch64 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 8.10 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 8.10 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 8.10 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 8.10 s390x Fixes BZ - 2463481 - CVE-2026-7323 firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.10.1 and Firefox 150.0.1 BZ - 2463483 - CVE-2026-7320 firefox: thunderbird: Information disclosure due to incorrect boundary conditions in the Audio/Video component BZ - 2463484 - CVE-2026-7322 firefox: thunderbird: Memory safety bugs fixed in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1 BZ - 2463485 - CVE-2026-7321 firefox: thunderbird: webrtc: Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component CVEs CVE-2026-7320 CVE-2026-7321 CVE-2026-7322 CVE-2026-7323 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 8 SRPM thunderbird-140.10.1-1.el8_10.src.rpm SHA-256: 2948adc4e0b11154facfe970c00007d5980720d09f1be51b4cacf91731357219 x86_64 thunderbird-140.10.1-1.el8_10.x86_64.rpm SHA-256: f53ded86cc09a8d7629ea324df89ca42ba7edfc460e44519a49f14de53f6ac2c thunderbird-debuginfo-140.10.1-1.el8_10.x86_64.rpm SHA-256: 3423289dbe35b03fe9093e8857d32748c97fc46d0392b0dc8492753db4666179 thunderbird-debugsource-140.10.1-1.el8_10.x86_64.rpm SHA-256: e1e338d88559d6e6bfce3235a810b1b8076a027ae49b886654dd1ee6f18e851d Red Hat Enterprise Linux for IBM z Systems 8 SRPM thunderbird-140.10.1-1.el8_10.src.rpm SHA-256: 2948adc4e0b11154facfe970c00007d5980720d09f1be51b4cacf91731357219 s390x thunderbird-140.10.1-1.el8_10.s390x.rpm SHA-256: b93f952a79fc1ba0d6d3a0021be2c59b19c3903e7e99888630aa354443f222f2 thunderbird-debuginfo-140.10.1-1.el8_10.s390x.rpm SHA-256: 30dabf54cb20e0cf4e56b1ccd238ff3aefbef5e4628e16615b80f8ebdfb4fc96 thunderbird-debugsource-140.10.1-1.el8_10.s390x.rpm SHA-256: 7d5922cd1bc121c3c43ee1db92733ccc4522073c89222afa4ad35363675449f9 Red Hat Enterprise Linux for Power, little endian 8 SRPM thunderbird-140.10.1-1.el8_10.src.rpm SHA-256: 2948adc4e0b11154facfe970c00007d5980720d09f1be51b4cacf91731357219 ppc64le thunderbird-140.10.1-1.el8_10.ppc64le.rpm SHA-256: 48c58edb63aaf570522a824e9d03fe0cba57c86f6d535c3d62ca677d5584a929 thunderbird-debuginfo-140.10.1-1.el8_10.ppc64le.rpm SHA-256: 0ffc2ae771de39053147bb5aaa14b33d24253023b62cb32392a9b888d2b19799 thunderbird-debugsource-140.10.1-1.el8_10.ppc64le.rpm SHA-256: 5c9a4934569f8bfa75ebeb54ab4503c2cb3f068b5d157934f22bac250f8b1ed3 Red Hat Enterprise Linux for ARM 64 8 SRPM thunderbird-140.10.1-1.el8_10.src.rpm SHA-256: 2948adc4e0b11154facfe970c00007d5980720d09f1be51b4cacf91731357219 aarch64 thunderbird-140.10.1-1.el8_10.aarch64.rpm SHA-256: f10716fe8404dd293bfaef305bfbeb32b85f8115877d36dba02c28e62a74d7ea thunderbird-debuginfo-140.10.1-1.el8_10.aarch64.rpm SHA-256: 64ccf0fea0b61c347b264871a3fd7b81c146a191f592be5e2febb8ef0806711d thunderbird-debugsource-140.10.1-1.el8_10.aarch64.rpm SHA-256: e46d87d18de2ac095cca317da25c6bcd49d2157822bf8edf60b299291ca33965 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 8.10 SRPM thunderbird-140.10.1-1.el8_10.src.rpm SHA-256: 2948adc4e0b11154facfe970c00007d5980720d09f1be51b4cacf91731357219 x86_64 thunderbird-140.10.1-1.el8_10.x86_64.rpm SHA-256: f53ded86cc09a8d7629ea324df89ca42ba7edfc460e44519a49f14de53f6ac2c thunderbird-debuginfo-140.10.1-1.el8_10.x86_64.rpm SHA-256: 3423289dbe35b03fe9093e8857d32748c97fc46d0392b0dc8492753db4666179 thunderbird-debugsource-140.10.1-1.el8_10.x86_64.rpm SHA-256: e1e338d88559d6e6bfce3235a810b1b8076a027ae49b886654dd1ee6f18e851d Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 8.10 SRPM thunderbird-140.10.1-1.el8_10.src.rpm SHA-256: 2948adc4e0b11154facfe970c00007d5980720d09f1be51b4cacf91731357219 aarch64 thunderbird-140.10.1-1.el8_10.aarch64.rpm SHA-256: f10716fe8404dd293bfaef305bfbeb32b85f8115877d36dba02c28e62a74d7ea thunderbird-debuginfo-140.10.1-1.el8_10.aarch64.rpm SHA-256: 64ccf0fea0b61c347b264871a3fd7b81c146a191f592be5e2febb8ef0806711d thunderbird-debugsource-140.10.1-1.el8_10.aarch64.rpm SHA-256: e46d87d18de2ac095cca317da25c6bcd49d2157822bf8edf60b299291ca33965 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 8.10 SRPM thunderbird-140.10.1-1.el8_10.src.rpm SHA-256: 2948adc4e0b11154facfe970c00007d5980720d09f1be51b4cacf91731357219 ppc64le thunderbird-140.10.1-1.el8_10.ppc64le.rpm SHA-256: 48c58edb63aaf570522a824e9d03fe0cba57c86f6d535c3d62ca677d5584a929 thunderbird-debuginfo-140.10.1-1.el8_10.ppc64le.rpm SHA-256: 0ffc2ae771de39053147bb5aaa14b33d24253023b62cb32392a9b888d2b19799 thunderbird-debugsource-140.10.1-1.el8_10.ppc64le.rpm SHA-256: 5c9a4934569f8bfa75ebeb54ab4503c2cb3f068b5d157934f22bac250f8b1ed3 Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 8.10 SRPM thunderbird-140.10.1-1.el8_10.src.rpm SHA-256: 2948adc4e0b11154facfe970c00007d5980720d09f1be51b4cacf91731357219 s390x thunderbird-140.10.1-1.el8_10.s390x.rpm SHA-256: b93f952a79fc1ba0d6d3a0021be2c59b19c3903e7e99888630aa354443f222f2 thunderbird-debuginfo-140.10.1-1.el8_10.s390x.rpm SHA-256: 30dabf54cb20e0cf4e56b1ccd238ff3aefbef5e4628e16615b80f8ebdfb4fc96 thunderbird-debugsource-140.10.1-1.el8_10.s390x.rpm SHA-256: 7d5922cd1bc121c3c43ee1db92733ccc4522073c89222afa4ad35363675449f9 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .