CVE-2021-23993
MEDIUMThunderbird < 78.9.1 - Denial of Service via Crafted OpenPGP Key with Invalid Subkey Self Signature
Title source: llmDescription
An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent. If an attacker creates a crafted OpenPGP key with a subkey that has an invalid self signature, and the Thunderbird user imports the crafted key, then Thunderbird may try to use the invalid subkey, but the RNP library rejects it from being used, causing encryption to fail. This vulnerability affects Thunderbird < 78.9.1.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.mozilla.org/security/advisories/mfsa2021-13/
Issue Tracking, Permissions Required, Vendor Advisory x_refsource_misc
https://bugzilla.mozilla.org/show_bug.cgi?id=1666360
Scores
CVSS v3
6.5
EPSS
0.0006
EPSS Percentile
20.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-347
Status
published
Products (1)
mozilla/thunderbird
< 78.9.1
Published
Jun 24, 2021
Tracked Since
Feb 18, 2026