This Red Hat security advisory addresses five vulnerabilities impacting Mozilla Thunderbird and related Firefox ESR versions included in Red Hat Enterprise Linux 9.4. The vulnerabilities include a use-after-free in libpng leading to arbitrary code execution (CVE-2026-33416), out-of-bounds read/write in libpng causing information disclosure and denial of service (CVE-2026-33636), multiple memory safety bugs fixed in Thunderbird ESR 140.9.1 and Firefox ESR 140.9.1 (CVE-2026-5731, CVE-2026-5734), and an integer overflow in the graphics text component affecting both Firefox and Thunderbird (CVE-2026-5732). Red Hat has issued updated Thunderbird packages (version 140.9.1-1.el9_4) across supported architectures to remediate these vulnerabilities. The advisory references Red Hat Bugzilla entries for each CVE and provides links to updated packages and remediation instructions.

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, cause denial of service, or disclose sensitive information on affected systems running vulnerable versions of Thunderbird. The memory safety bugs and integer overflow could lead to crashes or potentially more severe impacts depending on exploitability. The use-after-free vulnerability in libpng is particularly critical as it enables arbitrary code execution. However, there are no reports of known exploits in the wild at the time of this advisory.

Red Hat has released updated Thunderbird packages for Red Hat Enterprise Linux 9.4 that address all listed vulnerabilities. Users should apply these updates promptly following Red Hat's published guidance at https://access.redhat.com/articles/11258. Since this is a vendor-provided official fix, applying the update is the recommended remediation. No additional mitigation steps are indicated by the vendor advisory.