Thunderbird 91.5.0 fixes several security issues

Martin Brinkmann
Jan 12, 2022
Updated • Jan 12, 2022

Thunderbird 91.5.0 Stable is a security update that addresses several issues in the open source email client.

The new version of Thunderbird Stable is already available. It is pushed to user systems, provided that automatic updating has not been disabled.

Thunderbird users may run manual checks for updates to install the update early. Select Help > About Thunderbird to display the installed version and have Thunderbird run a check for updates manually. Users who don't see the menubar need to press the Alt-key on the keyboard to display it.

The official release notes list just three entries: two refer to fixed issues in the email client, one links to the security advisories page, which details the fixed security issues in the client.

The two non-security issues that were fixed address a display issue for RSS keyword labels and missing information on Thunderbird's about dialog page.

The security advisories page for Thunderbird 91.5 lists 14 security issues, many of which come from the code that Thunderbird shares with the Firefox web browser.

The highest severity rating of all vulnerabilities is high, second only to the critical rating. Here is the full list of security issues patched in the new Thunderbird version:

  1. CVE-2022-22746: Calling into reportValidity could have lead to fullscreen window spoof
  2. CVE-2022-22743: Browser window spoof using fullscreen mode
  3. CVE-2022-22742: Out-of-bounds memory access when inserting text in edit mode
  4. CVE-2022-22741: Browser window spoof using fullscreen mode
  5. CVE-2022-22740: Use-after-free of ChannelEventQueue::mOwner
  6. CVE-2022-22738: Heap-buffer-overflow in blendGaussianBlur
  7. CVE-2022-22737: Race condition when playing audio files
  8. CVE-2021-4140: Iframe sandbox bypass with XSLT
  9. CVE-2022-22748: Spoofed origin on external protocol launch dialog
  10. CVE-2022-22745: Leaking cross-origin URLs through securitypolicyviolation event
  11. CVE-2022-22744: The 'Copy as curl' feature in DevTools did not fully escape website-controlled data, potentially leading to command injection
  12. CVE-2022-22747: Crash when handling empty pkcs7 sequence
  13. CVE-2022-22739: Missing throttling on external protocol launch dialog
  14. CVE-2022-22751: Memory safety bugs fixed in Thunderbird 91.5

Now You: do you use Thunderbird? What would you like to see supported?


Thunderbird 91.5.0 fixes several security issues
Article Name
Thunderbird 91.5.0 fixes several security issues
Thunderbird 91.5.0 Stable is a security update that addresses several issues in the open source email client.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Anonymous said on January 29, 2022 at 4:22 pm

    Thanks for the update. Too bad I haven’t received an email for either of my accounts since Jan 12.
    Thunderbird no longer connects to either of my mail servers since this “upgrade”. This really doesn’t make me want to continue using the product.

  2. Max Air said on January 17, 2022 at 7:11 pm

    It would be nice in version 91 if the ‘Save As’ menu containing the date suffix for eml files names was changeable to a date prefix instead. That way when sorting thru lots of saved emails, the Windows natural sort order for file names would be in chronological order. I realize windows has a column configuration for ‘date sent’ to sort emails, but a prefix for the file names seems more logical. (and windows sorts the file name columns faster as well). I could edit the eml file name each time I save an email file, but that’s more work than just adding the date prefix manually.

    I’ve been adding my own date prefix ever since I started with Thunderbird v3 years ago. I’m sticking with v78 unless the ‘Save As’ can be reconfigured or an add-on is available. (yes I know about Import Export Tools NG, but that’s awkward for just saving one email at a time.)

    Maybe I’m the only one that likes files saved in chronological order by prefix. JPG files have always been that way, so it seems logical that Thunderbird would have followed suite.

  3. Derek Clements said on January 14, 2022 at 4:33 am

    Thanks Martin.
    No, I don’t use Thunderbird – although I did for most of my IT life until recently.
    Frankly, I’m sick to morbidity with dealing with Mozilla’s undocumented preferences (about:config) system. It’s bad enough having to do it for Firefox without having to repeat the process for Thunderbox. As such, I’ve made the effort to learn, to a working level, how to configure and run Gnus. I run Gnus via GNU Emacs and what a breath of fresh air it is to use. No requirement for a graphical user interface (GUI) if desired, and indeed the mouse becomes redundant. Such liberation allows for unfettered rapid processing of the huge amount of mailing list email I receive each day, and as I am familiar with Emacs, writing messages are a lot less burdensome as well.
    Such an environment hilights the amount of inefficient time wasting addictive garbage the likes of Apple and Microsoft have pushed (yes “push” as in the drug pusher context) onto the naive public over the recent generations.
    I am so glad I made the switch, it did require the effort to learn, but indeed well worth it. GNU Emacs and the associated Gnus come with extensive internal documentation, no web searches required to learn how to configure and use.

  4. Tom hawack said on January 12, 2022 at 11:46 pm

    I’ve used Thunderbird for years and then moved on to an email service provider. It’s like moving for an owned flat to a ented one : much less to take care of. Accessible from anywhere. I download & backup all with the excellent Mailstore application. But should I ever return to an email cliebt it’d be Thunderbird for sure.

    One of the reasons which got me to opt for an email service provider in place of an email client was when the browser (Firefox here) improved it’s opening time. Before that the browser would require, what was it, 30 seconds, to start. So email had to be local. Now Firefox opens instantly. I check my mail with the ‘Pop Peeper’ application (resident) and then get on to the email service practically as fast as starting a local email provider, be Firefox already opened or not. And all my email is encrypted and password locked, on the cloud indeed, but I have confidence in the email service i’ve chosen and used for years now.

    1. Kalle Kula said on January 13, 2022 at 8:02 pm

      Are you a sales person for the “excellent Mailstore application”? :-)

      1. Tom Hawack said on January 14, 2022 at 10:54 am

        Would I be one for flattering the excellency of your comment?!

  5. ULBoom said on January 12, 2022 at 7:51 pm

    It works.

    It would be nice if you could set line lengths without an extension that only works with plain text. Maybe you can now, IDK. Overall the composer in TBird isn’t all that friendly, weird formatting and text size behavior since day one. Inserting pics and links is easy.

    I’m not an email power user by any means so TBird is OK.

  6. Paul(us) said on January 12, 2022 at 6:09 pm

    Especially the composition part with especially cutting and pasting could be made much more accessible.
    I don’t like to write it, but Microsoft outlook 2019 is much easier, simpler to handle and has a lot more possibilities, composition wise.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.