Neal Walfield

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 78.9.1 Description: The issue is related to the incorrect verification of OpenPGP key signatures. An attacker can create a crafted OpenPGP key by replacing or adding a user ID. If the crafted key is imported and accepted, the user may incorrectly assume the false user ID belongs to the correspondent. This allows a remote attacker to access protected information. Recommendations: For versions prior to 78.9.1, update to version 78.9.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Thunderbird versions prior to 78.9.1 **Description** The issue is related to insufficient verification of imported OpenPGP keys in the Thunderbird email client. An attacker can exploit this to send arbitrary encrypted messages. Specifically, if an attacker creates a crafted OpenPGP key with a subkey that has an invalid self-signature and a Thunderbird user imports this key, Thunderbird may attempt to use the invalid subkey. However, the RNP library rejects it, causing encryption to fail. This can be used to perform a Denial of Service (DoS) attack, preventing a user from sending encrypted email. **Recommendations** For Thunderbird versions prior to 78.9.1, update to version 78.9.1 or later to resolve the issue. As a temporary workaround, consider avoiding the import of untrusted OpenPGP keys to minimize the risk of exploitation. Restrict the use of potentially crafted OpenPGP keys until the issue is resolved.