Issued:: 2025-09-08
Updated:: 2025-09-08

RHSA-2025:15437 - Security Advisory

Overview
Updated Packages

Synopsis

Important: thunderbird security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

firefox: thunderbird: Denial-of-service due to out-of-memory in the Graphics: WebRender component (CVE-2025-9182)
thunderbird: firefox: Sandbox escape due to invalid pointer in the Audio/Video: GMP component (CVE-2025-9179)
thunderbird: firefox: Same-origin policy bypass in the Graphics: Canvas2D component (CVE-2025-9180)
thunderbird: firefox: Uninitialized memory in the JavaScript Engine component (CVE-2025-9181)
thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142 (CVE-2025-9185)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux Server - AUS 8.2 x86_64

Fixes

BZ - 2389575 - CVE-2025-9182 firefox: thunderbird: Denial-of-service due to out-of-memory in the Graphics: WebRender component
BZ - 2389580 - CVE-2025-9179 thunderbird: firefox: Sandbox escape due to invalid pointer in the Audio/Video: GMP component
BZ - 2389581 - CVE-2025-9180 thunderbird: firefox: Same-origin policy bypass in the Graphics: Canvas2D component
BZ - 2389583 - CVE-2025-9181 thunderbird: firefox: Uninitialized memory in the JavaScript Engine component
BZ - 2389584 - CVE-2025-9185 thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server - AUS 8.2

SRPM
thunderbird-128.14.0-3.el8_2.src.rpm	SHA-256: f524c4ba856dd67ba3d04a0d5a4611d93376c8d1c893dee3f37b7e2ebcb16b32
x86_64
thunderbird-128.14.0-3.el8_2.x86_64.rpm	SHA-256: 7e09f36a9e9d2b132390c0405216e582a931319024263fa19067b21da288bd52
thunderbird-debuginfo-128.14.0-3.el8_2.x86_64.rpm	SHA-256: d8ea3ccbf1b774594ef5cd78cf45afdc58f03b91a6b3f6df574e10d2450ec1b4
thunderbird-debugsource-128.14.0-3.el8_2.x86_64.rpm	SHA-256: 4ef186ce3ab1328b03f75508dbd0c0ba4027bedfbee7c412e5a8c003235764fb

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation