| Reporter | Title | Published | Views | Family All 1239 |
|---|---|---|---|---|
| CVE-2026-12305 | 16 Jun 202611:52 | – | attackerkb | |
| CVE-2026-12308 | 16 Jun 202611:52 | – | attackerkb | |
| CVE-2026-12307 | 16 Jun 202611:52 | – | attackerkb | |
| CVE-2026-12292 | 16 Jun 202611:52 | – | attackerkb | |
| CVE-2026-12314 | 16 Jun 202611:52 | – | attackerkb | |
| CVE-2026-12298 | 16 Jun 202611:52 | – | attackerkb | |
| CVE-2026-12295 | 16 Jun 202611:52 | – | attackerkb | |
| CVE-2026-56406 | 21 Jun 202615:48 | – | attackerkb | |
| CVE-2026-56408 | 21 Jun 202615:51 | – | attackerkb | |
| CVE-2026-50219 | 4 Jun 202604:20 | – | attackerkb |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2026-3795.
##
include('compat.inc');
if (description)
{
script_id(325578);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/07/08");
script_cve_id(
"CVE-2026-12289",
"CVE-2026-12290",
"CVE-2026-12292",
"CVE-2026-12294",
"CVE-2026-12295",
"CVE-2026-12296",
"CVE-2026-12297",
"CVE-2026-12298",
"CVE-2026-12299",
"CVE-2026-12304",
"CVE-2026-12305",
"CVE-2026-12306",
"CVE-2026-12307",
"CVE-2026-12308",
"CVE-2026-12309",
"CVE-2026-12310",
"CVE-2026-12312",
"CVE-2026-12313",
"CVE-2026-12314",
"CVE-2026-12324",
"CVE-2026-12325",
"CVE-2026-12327",
"CVE-2026-12328",
"CVE-2026-12329",
"CVE-2026-12330",
"CVE-2026-50219",
"CVE-2026-56131",
"CVE-2026-56132",
"CVE-2026-56208",
"CVE-2026-56210",
"CVE-2026-56211",
"CVE-2026-56403",
"CVE-2026-56404",
"CVE-2026-56405",
"CVE-2026-56406",
"CVE-2026-56407",
"CVE-2026-56408",
"CVE-2026-56412"
);
script_name(english:"Amazon Linux 2 : thunderbird, --advisory ALAS2-2026-3795 (ALAS-2026-3795)");
script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The version of thunderbird installed on the remote host is prior to 140.12.0-1. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2-2026-3795 advisory.
Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 152,
Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12289)
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR
140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12290)
Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 152,
Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12292)
Sandbox escape in the DOM: Workers component. This vulnerability was fixed in Firefox 152, Firefox ESR
140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12294)
Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR
140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12295)
Sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152,
Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12296)
Sandbox escape due to incorrect boundary conditions in the Networking component. This vulnerability was
fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
(CVE-2026-12297)
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR
140.12, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12298)
JIT miscompilation in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152, Firefox
ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12299)
Same-origin policy bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox
152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12304)
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR
140.12, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12305)
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR
140.12, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12306)
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR
140.12, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12307)
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR
140.12, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12308)
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR
140.12, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12309)
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR
140.12, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12310)
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR
140.12, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12312)
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability
was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12313)
Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152, Firefox ESR
140.12, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12314)
Incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in
Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12324)
Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152,
Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12325)
Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151.
Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of
these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152,
Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12. (CVE-2026-12327)
Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151
and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed
in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.
(CVE-2026-12328)
Memory safety bug fixed in Thunderbird ESR 140.12. This vulnerability was fixed in Firefox ESR 140.12 and
Thunderbird 140.12. (CVE-2026-12329)
Incorrect boundary conditions in the Internationalization component. This vulnerability was fixed in
Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 140.12. (CVE-2026-12330)
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse,
XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation.
Thus, a use-after-free can occur, (CVE-2026-50219)
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers
in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219
situation). (CVE-2026-56131)
In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold
backing array reallocation is mishandled when there is data-structure sharing across parsers.
(CVE-2026-56132)
A heap buffer overflow vulnerability was found in libaom, the reference AV1 codec implementation. A flaw
in the AV1 encoder's Look-Ahead Processing (LAP) mode causes the first-pass stats ring buffer wrap-around
guard to be bypassed when g_lag_in_frames is set to 1 or higher. This results in a 232-byte out-of-bounds
write on every encoded frame after the second, corrupting adjacent heap objects. An attacker who can
influence encoder configuration in a transcoding service or WebRTC session could exploit this to cause a
denial of service (process crash) or potentially achieve code execution. (CVE-2026-56208)
A heap-buffer-overflow read vulnerability was found in libaom, the reference AV1 codec implementation. A
missing bounds check in the SVC (Scalable Video Coding) layer ID control function allows setting a
spatial_layer_id exceeding the configured number of layers. This causes an out-of-bounds heap read of
approximately 40,728 bytes when computing a layer context array index. An attacker who can influence SVC
encoder parameters in a network-facing service could exploit this for information disclosure (heap content
leak) or denial of service (segmentation fault from hitting unmapped memory). (CVE-2026-56210)
A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation.
Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control allows an
attacker to supply crafted video frame pixels that overlap with internal encoder layer context structures.
In fork-based video processing services, an attacker can use this to hijack the cyclic refresh map
pointer, brute-force the process base address via a crash oracle, and redirect control flow to achieve
arbitrary command execution. Exploitation requires the target service to use libaom with SVC encoding
enabled and accept attacker-supplied video frames. (CVE-2026-56211)
libexpat before 2.8.2 has an integer overflow in storeAtts. (CVE-2026-56403)
libexpat before 2.8.2 has an integer overflow in addBinding. (CVE-2026-56404)
libexpat before 2.8.2 has an integer overflow in getAttributeId. (CVE-2026-56405)
libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was
present in XML_Parse. (CVE-2026-56406)
libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity
textLen. (CVE-2026-56407)
libexpat before 2.8.2 has an integer overflow in copyString. (CVE-2026-56408)
libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call
depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-
free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219. (CVE-2026-56412)
Tenable has extracted the preceding description block directly from the tested product security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com//AL2/ALAS2-2026-3795.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12289.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12290.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12292.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12294.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12295.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12296.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12297.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12298.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12299.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12304.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12305.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12306.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12307.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12308.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12309.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12310.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12312.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12313.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12314.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12324.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12325.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12327.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12328.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12329.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-12330.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-50219.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-56131.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-56132.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-56208.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-56210.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-56211.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-56403.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-56404.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-56405.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-56406.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-56407.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-56408.html");
script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-56412.html");
script_set_attribute(attribute:"solution", value:
"Run 'yum update thunderbird' or
or 'yum update --advisory ALAS2-2026-3795' to update your system.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-56412");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2026-56405");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/04");
script_set_attribute(attribute:"patch_publication_date", value:"2026/07/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/07/08");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:thunderbird");
script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Amazon Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
exit(0);
}
include("rpm2.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
if (os_ver == 'A') os_ver = 'AMI';
audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}
if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var pkgs = [
{'reference':'thunderbird-140.12.0-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE},
{'reference':'thunderbird-140.12.0-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "thunderbird");
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation