{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-26695", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-02-13T22:03:43.233Z", "datePublished": "2025-03-10T18:41:25.460Z", "dateUpdated": "2026-04-13T14:27:29.612Z"}, "containers": {"cna": {"affected": [{"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "128.8", "lessThanOrEqual": "128.*", "versionType": "rpm"}, {"status": "unaffected", "version": "136", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8."}]}], "title": "Downloading of OpenPGP keys from WKD used incorrect padding", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1883039"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-17/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-18/"}], "credits": [{"lang": "en", "value": "Daniel Huigens"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:27:29.612Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-03-10T18:51:16.839667Z", "id": "CVE-2025-26695", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T18:37:28.315Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-26695", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-10T18:51:16.839667Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-10T18:52:19.673Z"}}], "cna": {"title": "Downloading of OpenPGP keys from WKD used incorrect padding", "credits": [{"lang": "en", "value": "Daniel Huigens"}], "affected": [{"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "128.8", "versionType": "rpm", "lessThanOrEqual": "128.*"}, {"status": "unaffected", "version": "136", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1883039"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-17/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-18/"}], "descriptions": [{"lang": "en", "value": "When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.", "supportingMedia": [{"type": "text/html", "value": "When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:27:29.612Z"}}}, "cveMetadata": {"cveId": "CVE-2025-26695", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:27:29.612Z", "dateReserved": "2025-02-13T22:03:43.233Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-03-10T18:41:25.460Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "D3C5A2B6-C7B5-4888-B0A7-9DA0C3024C71", "versionEndExcluding": "128.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "93C81C9D-FC2E-4D7D-A97F-8DB97ED92192", "versionEndExcluding": "136.0", "versionStartIncluding": "129.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability was fixed in Thunderbird 136 and Thunderbird 128.8."}, {"lang": "es", "value": "Al solicitar una clave OpenPGP a un servidor WKD, se utiliz\u00f3 un tama\u00f1o de relleno incorrecto y un observador de la red podr\u00eda haber descubierto la longitud de la direcci\u00f3n de correo electr\u00f3nico solicitada. Esta vulnerabilidad afecta a Thunderbird < 136 y Thunderbird < 128.8."}], "id": "CVE-2025-26695", "lastModified": "2026-04-13T15:16:54.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-03-10T19:15:40.567", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1883039"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-17/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-18/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "thunderbird: Downloading of OpenPGP keys from WKD used incorrect padding", "id": "2351146", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351146"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-203", "details": ["When requesting an OpenPGP key from a WKD server, an incorrect padding size was used and a network observer could have learned the length of the requested email address. This vulnerability affects Thunderbird < 136 and Thunderbird < 128.8.", "A flaw was found in Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: When requesting an OpenPGP key from a WKD server, an incorrect padding size was used, and a network observer could have learned the length of the requested email address."], "name": "CVE-2025-26695", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-10T18:41:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-26695\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-26695\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1883039\nhttps://www.mozilla.org/security/advisories/mfsa2025-17/\nhttps://www.mozilla.org/security/advisories/mfsa2025-18/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-20T18:18:54.231481+00:00", "value": {"mitigation_remediation": ["Upgrade Thunderbird to version 136 or the 128.8 branch, which contain the padding fix.", "If an immediate upgrade is not possible, consider disabling WKD key retrieval in Thunderbird\u2019s preferences to stop outbound key lookup requests.", "Block outbound connections to known WKD URLs using a firewall or proxy to prevent the length disclosure until the client can be updated."], "summary": {"action": "Patch", "impact": "Information Disclosure via email address enumeration"}, "threat_synthesis": {"affected_systems": "This flaw was present in all Thunderbird releases before 128.8 and 136, inclusive. Mozilla released a fix in Thunderbird 136 and the legacy 128.8 branch. Systems running earlier versions of Thunderbird are affected.", "description_and_impact": "A bug in Thunderbird\u2019s OpenPGP key retrieval over the Web Key Directory protocol caused the client to use incorrect padding when forming the key request. The padding difference exposed the length of the email address used in the lookup, allowing an attacker who could observe traffic to a WKD server to learn how long a victim\u2019s email address is.", "risk_and_exploitability": "The CVSS score of 5.3 places this vulnerability in the medium range; the EPSS score of less than 1% indicates a low probability of exploitation. It is not listed in the CISA KEV catalog. The most likely attack path involves an adversary monitoring network traffic to a WKD endpoint and collecting length information, which can aid in user enumeration or targeted phishing. No elevated privileges or authentication are required."}}}}, "created": "2026-04-20T18:30:13.977131+00:00", "updated": "2026-04-20T18:30:13.977146+00:00", "vendors": []}