CVE Catalog

CVE-2026-57962

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

12th percentile — higher than 12% of all known CVEs

Summary

A malicious LDAP server, queried by Thunderbird for address-book autocomplete, can send arbitrarily large amounts of data to the Thunderbird LDAP client, causing a crash due to memory exhaustion. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.

Risk Assessment

An attacker can crash Thunderbird by exhausting memory, potentially leading to loss of unsaved data or disruption of user workflow.

Recommendation

Immediately update Thunderbird to version 152.0.1 or 140.12.1. Restrict trust in LDAP servers used for address-book autocomplete.

Original NVD description (English source)

A malicious LDAP server, which a Thunderbird user is configured to query for address-book autocomplete, can stash arbitrarily large amounts of attacker-supplied data into the Thunderbird LDAP client until it crashes due to memory exhaustion. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS