Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/thunderbird@78.9.1-1?arch=el8_3
purl pkg:rpm/redhat/thunderbird@78.9.1-1?arch=el8_3
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 3.5
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-3tmg-yvx8-5kdt
Aliases:
CVE-2021-23991
If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice's key with an invalid subkey, Thunderbird might subsequently attempt to use the invalid subkey, and will fail to send encrypted email to Alice. There are no reported fixed by versions.
VCID-51na-65q7-mqd1
Aliases:
CVE-2021-29950
Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. If the task runs into a failure, the secret key may remain in memory in its unprotected state. There are no reported fixed by versions.
VCID-7tj1-s8bv-e7hv
Aliases:
CVE-2021-23992
Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user ID, or by adding another user ID. If Thunderbird imports and accepts the crafted key, the Thunderbird user may falsely conclude that the false user ID belongs to the correspondent. There are no reported fixed by versions.
VCID-un8e-mz4v-t7ea
Aliases:
CVE-2021-29949
When loading the shared library that provides the OTR protocol implementation, Thunderbird will initially attempt to open it using a filename that isn't distributed by Thunderbird. If a computer has already been infected with a malicious library of the alternative filename, and the malicious library has been copied to a directory that is contained in the search path for executable libraries, then Thunderbird will load the incorrect library. There are no reported fixed by versions.
VCID-yy95-yypj-cqbh
Aliases:
CVE-2021-23993
An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent. If an attacker creates a crafted OpenPGP key with a subkey that has an invalid self signature, and the Thunderbird user imports the crafted key, then Thunderbird may try to use the invalid subkey, but the RNP library rejects it from being used, causing encryption to fail. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T14:02:57.283717+00:00 RedHat Importer Affected by VCID-51na-65q7-mqd1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29950.json 38.0.0
2026-04-01T14:02:35.399738+00:00 RedHat Importer Affected by VCID-un8e-mz4v-t7ea https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29949.json 38.0.0
2026-04-01T14:02:35.290202+00:00 RedHat Importer Affected by VCID-yy95-yypj-cqbh https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23993.json 38.0.0
2026-04-01T14:02:35.206974+00:00 RedHat Importer Affected by VCID-7tj1-s8bv-e7hv https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23992.json 38.0.0
2026-04-01T14:02:35.124123+00:00 RedHat Importer Affected by VCID-3tmg-yvx8-5kdt https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23991.json 38.0.0