CVE-2026-8388

medium

Published 2026-05-27 · Modified 2026-06-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

6.5

Description

Important: thunderbird security update

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description firefox: thunderbird: Incorrect boundary conditions in the JavaScript Engine: JIT component Red Hat statement Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory. CVSS v3: 7.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Enterprise Linux…

Description

firefox: thunderbird: Incorrect boundary conditions in the JavaScript Engine: JIT component

Red Hat statement

Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.

CVSS v3: 7.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 10	`firefox-0:140.11.0-1.el10_2`	RHSA-2026:21380	2026-05-27T00:00:00Z
Red Hat Enterprise Linux 10	`thunderbird-0:140.11.0-1.el10_2`	RHSA-2026:22325	2026-06-01T00:00:00Z
Red Hat Enterprise Linux 8	`firefox-0:140.11.0-1.el8_10`	RHSA-2026:21382	2026-05-27T00:00:00Z
Red Hat Enterprise Linux 8	`thunderbird-0:140.11.0-1.el8_10`	RHSA-2026:22643	2026-06-03T00:00:00Z
Red Hat Enterprise Linux 9	`firefox-0:140.11.0-1.el9_8`	RHSA-2026:21378	2026-05-27T00:00:00Z
Red Hat Enterprise Linux 9	`thunderbird-0:140.11.0-1.el9_8`	RHSA-2026:21381	2026-05-27T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 10	`rhel10/firefox-flatpak`	Affected
Red Hat Enterprise Linux 10	`rhel10/thunderbird-flatpak`	Affected
Red Hat Enterprise Linux 6	`firefox`	Out of support scope
Red Hat Enterprise Linux 6	`thunderbird`	Out of support scope
Red Hat Enterprise Linux 7	`firefox`	Affected
Red Hat Enterprise Linux 7	`thunderbird`	Out of support scope

Apply commands

bash fix

Apply RHSA-2026:21380 for Red Hat Enterprise Linux 10

yum update -y firefox
# or:
dnf upgrade -y firefox

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 7	`Affected`

OS impact

AlmaLinux Fixed 2 releases

Version	Status	Fixed in
9	Fixed	`firefox-x11-140.11.0-1.el9_8.alma.1.ppc64le.rpm`
8	Fixed	`firefox-140.11.0-1.el8_10.alma.1.aarch64.rpm`

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`140.11.0esr-1~deb13u1`
sid	Fixed	`150.0.3-1`
forky	Fixed	`140.11.0esr-1`
bullseye	Fixed	`140.11.0esr-1~deb11u1`
bookworm	Fixed	`140.11.0esr-1~deb12u1`

Red Hat Fixed 2 releases

Version	Status	Fixed in
9	Fixed	—
8	Fixed	—

Application impact

Vendor	Product	Versions	Fixed
mozilla	firefox	`{"endExcluding":"150.0.3"}`	`150.0.3`

References

CWEs

CWE-119

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.