CVE-2025-26695

Summary

When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.

Affected Software

VendorProductVersion RangeStatus
MozillaThunderbird128.8 <= 128.*unaffected
MozillaThunderbird136 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References