A malicious LDAP server, which a Thunderbird user is configured to query for address-book autocomplete, can stash arbitrarily large amounts of attacker-supplied data into the Thunderbird LDAP client until it crashes due to memory exhaustion. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.

Project Subscriptions

Vendors Products
Mozilla Subscribe
Thunderbird Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 01 Jul 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla thunderbird

Wed, 01 Jul 2026 06:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399

Wed, 01 Jul 2026 01:30:00 +0000

Type Values Removed Values Added
Description A malicious LDAP server, which a Thunderbird user is configured to query for address-book autocomplete, can stash arbitrarily large amounts of attacker-supplied data into the Thunderbird LDAP client until it crashes due to memory exhaustion. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.
Title Denial-of-service via malicious LDAP address-book server
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-07-01T00:58:32.777Z

Reserved: 2026-06-26T15:27:32.831Z

Link: CVE-2026-57962

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T09:00:14Z

Weaknesses