CVE-2026-57962
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
A malicious LDAP server, queried by Thunderbird for address-book autocomplete, can send arbitrarily large amounts of data to the Thunderbird LDAP client, causing a crash due to memory exhaustion. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.
Risk Assessment
An attacker can crash Thunderbird by exhausting memory, potentially leading to loss of unsaved data or disruption of user workflow.
Recommendation
Immediately update Thunderbird to version 152.0.1 or 140.12.1. Restrict trust in LDAP servers used for address-book autocomplete.
Original NVD description (English source)
A malicious LDAP server, which a Thunderbird user is configured to query for address-book autocomplete, can stash arbitrarily large amounts of attacker-supplied data into the Thunderbird LDAP client until it crashes due to memory exhaustion. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.

