CVE-2020-26970

When reading SMTP server status codes, Thunderbird writes an integer value to a position on the stack that is intended to contain just one byte. Depending on processor architecture and stack layout, this leads to stack corruption that may be exploitable. This vulnerability affects Thunderbird < 78.5.1.

Published: Dec 9, 2020
Updated: Apr 14, 2023
CVE: CVE-2020-26970
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C

CWEs:

CWE-787

Affected Software
References

Software	From	Fixed in
mozilla / thunderbird	-	78.5.1

https://bugzilla.mozilla.org/show_bug.cgi?id=1677338
https://www.mozilla.org/security/advisories/mfsa2020-53/

Vulnerability Database

CVE-2020-26970