CVE-2026-4371
A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail
CVSS
7.4
High
EPSS
0.4%
p28
KEV
—
Exploit Today
8
0-100
Published: Mar 24, 2026 · Last modified: Jul 15, 2026 · CWE-126 · CWE-130
0.4%EPSS · 30 days0.4%
2026-06-302026-07-16
A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction, potentially crashing Thunderbird or leaking sensitive data. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.
- bugzilla.mozilla.orghttps://bugzilla.mozilla.org/show_bug.cgi?id=2023493
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-23/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-24/
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6188
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6342
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6917
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:8284
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:8285
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:8286
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:8287
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:8288
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:8289
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:8290
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:8315
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:8850
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-4371
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2451001
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4371.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-338467.5 HIG66.4%
——20A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.2dCVE-2026-256468.1 HIG57.4%
——17LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.2dCVE-2026-53678.6 HIG54.7%
——16A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the disclosure of sensitive information stored in heap memory, which is then returned to the attacker's virtual machine port.2dCVE-2026-52608.2 HIG50.0%
——15A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure.2dCVE-2026-504686.5 MED49.6%
——15Buffer over-read in SQL Server allows an authorized attacker to disclose information over a network.3dCVE-2026-504456.5 MED47.7%
——14Buffer over-read in Windows RDP allows an unauthorized attacker to disclose information over a network.2d