This Red Hat security advisory addresses five vulnerabilities in Mozilla Thunderbird related to Firefox components, including a privilege escalation vulnerability in the Firefox Updater (CVE-2025-2817), unsafe attribute access during XPath parsing (CVE-2025-4087), process isolation bypass using "javascript:" URI links in cross-origin frames (CVE-2025-4083), and multiple memory safety bugs fixed in Thunderbird 138 and ESR 128.10 (CVE-2025-4091 and CVE-2025-4093). The vulnerabilities span issues such as privilege escalation, unsafe attribute handling, process isolation bypass, and memory safety errors. Red Hat has released updated Thunderbird packages for Red Hat Enterprise Linux 9 and its Extended Update Support and Extended Life Cycle variants across multiple architectures. The advisory references fixes for these CVEs and directs users to apply the update to remediate the issues.

The vulnerabilities include privilege escalation, unsafe attribute access, process isolation bypass, and memory safety bugs, which could potentially allow an attacker to elevate privileges, bypass security boundaries, or cause memory corruption. The Red Hat advisory rates the overall security impact as Important, indicating a high severity level but not critical. No known exploits in the wild have been reported at this time.

Red Hat has released updated Thunderbird packages that address these vulnerabilities. Users of Red Hat Enterprise Linux 9 and its variants should apply the Thunderbird update as described in the Red Hat advisory RHSA-2025:4460 and the referenced article https://access.redhat.com/articles/11258. Applying this official update is the recommended remediation. No additional mitigation steps are indicated by the vendor advisory.