Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:alpm/archlinux/thunderbird@91.2.0-1
purl pkg:alpm/archlinux/thunderbird@91.2.0-1
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (7)
Vulnerability Summary Aliases
VCID-1rj3-tt63-4yc1 Through use of reportValidity() and window.open(), a plain-text validation message could have been overlaid on another origin, leading to possible user confusion and spoofing attacks. CVE-2021-38497
VCID-2k99-39yt-gkbe During operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash. CVE-2021-38496
VCID-6fkp-5fzu-fydp Mozilla developers and community members Andreas Pehrson and Christian Holler reported memory safety bugs present in Thunderbird 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. CVE-2021-38500
VCID-9y48-sjn7-rqeu Mozilla developers and community members Kevin Brosnan, Mihai Alexandru Michis, and Christian Holler reported memory safety bugs present in Thunderbird 91.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. CVE-2021-38501
VCID-hhu1-cgcx-nfev During process shutdown, a document could have caused a use-after-free of a languages service object, leading to memory corruption and a potentially exploitable crash. CVE-2021-38498
VCID-vtjf-sufh-p3h4 crossbeam-deque Data Race before v0.7.4 and v0.8.1 ### Impact In the affected version of this crate, the result of the race condition is that one or more tasks in the worker queue can be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this can cause double free and a memory leak. If not, this still can cause a logical bug. Crates using `Stealer::steal`, `Stealer::steal_batch`, or `Stealer::steal_batch_and_pop` are affected by this issue. ### Patches This has been fixed in crossbeam-deque 0.8.1 and 0.7.4. ### Credits This issue was reported and fixed by Maor Kleinberger. ### License This advisory is in the public domain. CVE-2021-32810
GHSA-pqqp-xmhj-wgcw
VCID-zwz9-pt55-t3c6 Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. CVE-2021-38502

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T18:25:18.606951+00:00 Arch Linux Importer Fixing VCID-vtjf-sufh-p3h4 https://security.archlinux.org/AVG-2459 38.0.0
2026-04-01T18:25:18.582222+00:00 Arch Linux Importer Fixing VCID-2k99-39yt-gkbe https://security.archlinux.org/AVG-2459 38.0.0
2026-04-01T18:25:18.560007+00:00 Arch Linux Importer Fixing VCID-1rj3-tt63-4yc1 https://security.archlinux.org/AVG-2459 38.0.0
2026-04-01T18:25:18.537505+00:00 Arch Linux Importer Fixing VCID-hhu1-cgcx-nfev https://security.archlinux.org/AVG-2459 38.0.0
2026-04-01T18:25:18.514023+00:00 Arch Linux Importer Fixing VCID-6fkp-5fzu-fydp https://security.archlinux.org/AVG-2459 38.0.0
2026-04-01T18:25:18.490051+00:00 Arch Linux Importer Fixing VCID-9y48-sjn7-rqeu https://security.archlinux.org/AVG-2459 38.0.0
2026-04-01T18:25:18.463567+00:00 Arch Linux Importer Fixing VCID-zwz9-pt55-t3c6 https://security.archlinux.org/AVG-2459 38.0.0