Description
A malicious LDAP server, which a Thunderbird user is configured to query for address-book autocomplete, can stash arbitrarily large amounts of attacker-supplied data into the Thunderbird LDAP client until it crashes due to memory exhaustion. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.
Affected products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Thunderbird | 140.12.1 to <=140.*; 152.0.1 to <=* |
References
Generated from the official CVE List on 01 Jul 2026 07:05 UTC.