This advisory covers a set of nine security vulnerabilities in Mozilla Thunderbird, as distributed by Red Hat Enterprise Linux 10. The issues include a large branch table leading to truncated instructions (CVE-2025-8028), multiple memory safety bugs (CVE-2025-8035, CVE-2025-8034), incorrect URL stripping in CSP reports (CVE-2025-8031), partial return values written to the stack by the JavaScript engine (CVE-2025-8027), potential user-assisted code execution via the 'Copy as cURL' command (CVE-2025-8030), incorrect JavaScript state machine handling for generators (CVE-2025-8033), XSLT documents bypassing CSP (CVE-2025-8032), and execution of javascript: URLs on object and embed tags (CVE-2025-8029). Red Hat has issued an update for Thunderbird in Red Hat Enterprise Linux 10 and its extended update support versions to address these vulnerabilities.

The vulnerabilities collectively pose a high security risk, including memory safety issues that could lead to crashes or code execution, CSP bypasses that weaken security policies, and potential user-assisted code execution that could allow attackers to execute arbitrary code under certain conditions. These flaws affect the Thunderbird mail client and could impact confidentiality, integrity, and availability of the affected systems if exploited.

Red Hat has released an important security update for Thunderbird in Red Hat Enterprise Linux 10 and its extended update support versions. Users should apply the update as provided by Red Hat to remediate these vulnerabilities. For detailed update instructions, refer to Red Hat's advisory at https://access.redhat.com/articles/11258. No additional mitigation steps are indicated beyond applying the official update.