CVE-2026-57962 PUBLISHED

Denial-of-service via malicious LDAP address-book server

Assigner: mozilla
Reserved: 26.06.2026 Published: 01.07.2026 Updated: 01.07.2026

A malicious LDAP server, which a Thunderbird user is configured to query for address-book autocomplete, can stash arbitrarily large amounts of attacker-supplied data into the Thunderbird LDAP client until it crashes due to memory exhaustion. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.

Product Status

Vendor Mozilla
Product Thunderbird
Versions
  • unaffected from 140.12.1 to 140.* (incl.)
  • unaffected from 152.0.1 to * (incl.)

Credits

  • Michael Bommarito

References