This Red Hat security advisory addresses multiple vulnerabilities in Mozilla Thunderbird and related Firefox components integrated into Thunderbird. The fixes cover a range of issues: CVE-2025-3523 involves UI misrepresentation of attachment URLs; CVE-2025-2830 concerns information disclosure of the /tmp directory listing; CVE-2025-3522 is about leaking hashed Windows credentials via crafted attachment URLs; CVE-2025-2817 is a privilege escalation vulnerability in the Firefox Updater; CVE-2025-4087 involves unsafe attribute access during XPath parsing; CVE-2025-4083 is a process isolation bypass using javascript: URI links in cross-origin frames; CVE-2025-4091 and CVE-2025-4093 are memory safety bugs fixed in Thunderbird 128.10 and Firefox 138/ESR 128.10. Red Hat has released updated Thunderbird packages (version 128.10.0) for Red Hat Enterprise Linux 10 across multiple architectures to address these issues.

The vulnerabilities collectively could allow attackers to misrepresent UI elements, disclose sensitive information such as directory listings and hashed credentials, escalate privileges via the updater, bypass process isolation protections, and exploit memory safety bugs potentially leading to crashes or code execution. These issues pose a high security risk to users of affected Thunderbird versions on Red Hat Enterprise Linux 10 systems.

Red Hat has released updated Thunderbird packages (version 128.10.0) that address all listed vulnerabilities. Users should apply the security update promptly by following Red Hat's official update instructions at https://access.redhat.com/articles/11258. This update is available for Red Hat Enterprise Linux 10 and its Extended Update Support and Extended Life Cycle variants across supported architectures. No additional mitigations are indicated beyond applying the official update.