CVE-2026-0887
high
CVSS v3
β
CVSS v4 NEW
β
VIR risk
8.0
Description
RHSA-2026:2220: thunderbird security update (Important)
Predictions
Exploit likelihood
20%
Patch ETA
β
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Source: Red Hat Errata β Red Hat Inc. Β· View original β Β· Open-Errata-API
Description firefox: thunderbird: Clickjacking issue, information disclosure in the PDF Viewer component Red Hat statement Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory. CVSS v3: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Enterprise Linuxβ¦
Description
firefox: thunderbird: Clickjacking issue, information disclosure in the PDF Viewer component
Red Hat statement
Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.
CVSS v3: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | firefox-0:140.7.0-1.el10_1 | RHSA-2026:2271 | 2026-02-09T00:00:00Z |
| Red Hat Enterprise Linux 10 | thunderbird-0:140.7.0-1.el10_1 | RHSA-2026:2286 | 2026-02-09T00:00:00Z |
| Red Hat Enterprise Linux 10.0 Extended Update Support | firefox-0:140.7.0-1.el10_0 | RHSA-2026:2271 | 2026-02-09T00:00:00Z |
| Red Hat Enterprise Linux 10.0 Extended Update Support | thunderbird-0:140.7.0-1.el10_0 | RHSA-2026:2286 | 2026-02-09T00:00:00Z |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | firefox-0:140.7.0-1.el7_9 | RHSA-2026:2231 | 2026-02-09T00:00:00Z |
| Red Hat Enterprise Linux 8 | firefox-0:140.7.0-1.el8_10 | RHSA-2026:0667 | 2026-01-15T00:00:00Z |
| Red Hat Enterprise Linux 8 | thunderbird-0:140.7.0-1.el8_10 | RHSA-2026:2220 | 2026-02-09T00:00:00Z |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | thunderbird-0:140.7.0-1.el8_2 | RHSA-2026:1471 | 2026-01-28T00:00:00Z |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | firefox-0:140.7.0-1.el8_2 | RHSA-2026:2074 | 2026-02-05T00:00:00Z |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | thunderbird-0:140.7.0-1.el8_4 | RHSA-2026:1461 | 2026-01-28T00:00:00Z |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | firefox-0:140.7.0-1.el8_4 | RHSA-2026:2073 | 2026-02-05T00:00:00Z |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | thunderbird-0:140.7.0-1.el8_4 | RHSA-2026:1461 | 2026-01-28T00:00:00Z |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | firefox-0:140.7.0-1.el8_4 | RHSA-2026:2073 | 2026-02-05T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | thunderbird-0:140.7.0-1.el8_6 | RHSA-2026:1487 | 2026-01-28T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | firefox-0:140.7.0-1.el8_6 | RHSA-2026:2070 | 2026-02-05T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | thunderbird-0:140.7.0-1.el8_6 | RHSA-2026:1487 | 2026-01-28T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | firefox-0:140.7.0-1.el8_6 | RHSA-2026:2070 | 2026-02-05T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | thunderbird-0:140.7.0-1.el8_6 | RHSA-2026:1487 | 2026-01-28T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | firefox-0:140.7.0-1.el8_6 | RHSA-2026:2070 | 2026-02-05T00:00:00Z |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | thunderbird-0:140.7.0-1.el8_8 | RHSA-2026:1462 | 2026-01-28T00:00:00Z |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | firefox-0:140.7.0-1.el8_8 | RHSA-2026:2069 | 2026-02-05T00:00:00Z |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | thunderbird-0:140.7.0-1.el8_8 | RHSA-2026:1462 | 2026-01-28T00:00:00Z |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | firefox-0:140.7.0-1.el8_8 | RHSA-2026:2069 | 2026-02-05T00:00:00Z |
| Red Hat Enterprise Linux 9 | firefox-0:140.7.0-1.el9_7 | RHSA-2026:0694 | 2026-01-15T00:00:00Z |
| Red Hat Enterprise Linux 9 | thunderbird-0:140.7.0-1.el9_7 | RHSA-2026:0924 | 2026-01-21T00:00:00Z |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | thunderbird-0:140.7.0-1.el9_0 | RHSA-2026:1413 | 2026-01-27T00:00:00Z |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | firefox-0:140.7.0-1.el9_0 | RHSA-2026:2047 | 2026-02-05T00:00:00Z |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | thunderbird-0:140.7.0-1.el9_2 | RHSA-2026:1415 | 2026-01-27T00:00:00Z |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | firefox-0:140.7.0-1.el9_2 | RHSA-2026:2044 | 2026-02-05T00:00:00Z |
| Red Hat Enterprise Linux 9.4 Extended Update Support | thunderbird-0:140.7.0-1.el9_4 | RHSA-2026:1414 | 2026-01-27T00:00:00Z |
| Red Hat Enterprise Linux 9.4 Extended Update Support | firefox-0:140.7.0-1.el9_4 | RHSA-2026:2041 | 2026-02-05T00:00:00Z |
| Red Hat Enterprise Linux 9.6 Extended Update Support | thunderbird-0:140.7.0-2.el9_6 | RHSA-2026:1320 | 2026-01-27T00:00:00Z |
| Red Hat Enterprise Linux 9.6 Extended Update Support | firefox-0:140.7.0-1.el9_6 | RHSA-2026:2043 | 2026-02-05T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 10 | rhel10/firefox-flatpak | Affected |
| Red Hat Enterprise Linux 10 | rhel10/thunderbird-flatpak | Affected |
| Red Hat Enterprise Linux 6 | firefox | Out of support scope |
| Red Hat Enterprise Linux 6 | thunderbird | Out of support scope |
| Red Hat Enterprise Linux 7 | thunderbird | Out of support scope |
Apply commands
Apply RHSA-2026:2271 for Red Hat Enterprise Linux 10
yum update -y firefox
# or:
dnf upgrade -y firefoxAffected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 10 | Affected |
| redhat | Red Hat Enterprise Linux 10 | Affected |
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rocky | 8 | fixed | |
| rhel | 9 | fixed | |
| debian | sid | fixed | 147.0-1 |
| debian | bookworm | fixed | 140.7.0esr-1~deb12u1 |
| debian | bullseye | fixed | 140.7.0esr-1~deb11u1 |
| debian | forky | fixed | 140.7.0esr-1 |
| debian | trixie | fixed | 140.7.0esr-1~deb13u1 |
| sles | affected | | |
| rocky | 9 | fixed | |
| rhel | 8 | fixed | |
References
- https://errata.rockylinux.org/RLSA-2026:2220
- https://errata.rockylinux.org/RLSA-2026:0667
- https://access.redhat.com/errata/RHSA-2026:0694
- https://access.redhat.com/errata/RHSA-2026:0924
- https://security-tracker.debian.org/tracker/CVE-2026-0887
- https://www.suse.com/security/cve/CVE-2026-0887.html
- https://errata.rockylinux.org/RLSA-2026:0924
- https://errata.rockylinux.org/RLSA-2026:0694
- https://access.redhat.com/errata/RHSA-2026:0667
- https://bugzilla.redhat.com/2420507
- https://bugzilla.redhat.com/2428961
- https://bugzilla.redhat.com/2428963
- https://bugzilla.redhat.com/2428965
- https://bugzilla.redhat.com/2428966
- https://bugzilla.redhat.com/2428967
- https://bugzilla.redhat.com/2428968
- https://bugzilla.redhat.com/2428969
- https://bugzilla.redhat.com/2428971
- https://bugzilla.redhat.com/2428972
- https://bugzilla.redhat.com/2428973
- https://bugzilla.redhat.com/2428975
- https://bugzilla.redhat.com/2428978
- https://errata.almalinux.org/8/ALSA-2026-0667.html
- https://access.redhat.com/errata/RHSA-2026:2220
- https://errata.almalinux.org/8/ALSA-2026-2220.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.