If you use Thunderbird Daily for mail, news and calendar, be careful, because there is an important update. version 144 It's now available and comes with a good handful of improvements and, above all, security patches that should be applied without hesitation. In addition, annoying bugs have been fixed which affected common tasks such as moving messages, managing attachments or copying text from certain alerts from the client itself.
It's worth remembering where we are: Thunderbird is a free, open-source, cross-platform email application with a very clear philosophy. Works locally on your computer, unlike web services like Gmail, which for many users is an advantage in terms of control, privacy, and performance. It's easy to use, customizable to the core, and supports IMAP and POP, a built-in RSS reader, HTML email, and advanced filters. With that in mind, release 144 polishes the experience and significantly strengthens security.
What's changing in Thunderbird 144
The new release focuses, above all, on robustness. According to the notes published by the Mozilla team, Thunderbird 144 puts the focus on security and in fixing bugs detected in previous versions. You'll also find minor visual tweaks and user experience improvements, but the big news is that it updates components, fixes regressions, and plugs vulnerabilities that could cause headaches.
A significant technical update for those using the Flatpak package is that the runtime environment has been updated to Freedesktop SDK 24.08. This revision modernizes distribution facilities in that format, with the aim of gaining stability and compatibility in Linux environments where Flatpak is the preferred installation and update method.
In everyday use, the list of fixes is extensive. For example, a problem with the Delete key and attachments in OpenPGP-protected messages has been fixed. In previous versions, the behavior when deleting attachments was not as expected and could prevent or fail to prevent deletion in appropriate cases; from now on, OpenPGP attachment handling respects user intent, avoiding surprises when deleting or keeping attachments.
We've also fixed an issue where a newly created folder wouldn't appear in the Recents section when moving a message. It may seem minor, but when you're organizing your email on the fly, This immediate visibility speeds things up a lot Message classification. Similarly, the sender avatar, which was sometimes incorrectly displayed, is now displayed correctly, helping you identify at a glance who's writing to you.
Other improvements
Another fix that those who follow long conversations will appreciate: sorting by thread only showed those with the main message unread, leaving out other interesting threads. That's now fixed, and the thread view It's once again consistent with the reality of your inbox. Automatic reads in newsgroups, which were triggered inappropriately after an NNTP error, have also been adjusted; messages are now not marked as read if the server didn't return them correctly.
On the email security front, there are several important improvements. Issues with signing headers when creating OpenPGP emails have been fixed, and support for version 6 of the OpenPGP standard with PQC keys has also been added, a key step toward the future of cryptography. Thus, You can now read emails signed with OpenPGP v6 and post-quantum keys., which opens the door to greater long-term resilience to advances in computing.
S/MIME certificate handling has also been improved. Errors have been fixed when using a personal certificate with a specific identity or when dealing with old certificates. Additionally, the application allows you to check an S/MIME certificate for a sub-identity and test expired or invalid certificates for diagnostic purposes. Thanks to these changes, The S/MIME configuration and testing flow becomes more reliable, reducing friction in corporate environments.
The compose window becomes more flexible: if you started from a modified draft, changed your identity, and Thunderbird prevented you from saving, this will no longer happen. The crash has been fixed, so you can alternate identities in composition Without fear of losing changes or having a half-finished draft. Related to composition, if you Shift-click a mailto link, it now opens a plain text message directly—useful when you want to avoid HTML due to policy or preference.
User experience
In terms of user experience, the image preview in the Insert Image box for web resources has been fixed, which previously failed due to content security policies. Additionally, the Copy Message to action in newsgroup filters that had been broken has been fixed, and a series of crashes detected in various scenarios have been addressed. All of this results in Thunderbird 144 feels more stable and consistent.
Other fixes that may be familiar to you if you've been affected by these issues: In Exchange accounts, the Reply All button could disappear; it no longer does. Sending through servers with self-signed certificates was failing; fixed. Importing a profile located at the root of a zip file wasn't working; it now does. In calendar discovery with certificate errors, multiple exceptions were displayed; that noise has been reduced. As a bonus, Not all the headers were signed when creating an OpenPGP email with a digital signature; fixed.
In the calendar, copying events via drag and drop in multi-week or monthly views was problematic; that feature is back. We've also fixed task reminders that failed if they didn't have an end date or if the due date had shifted, so Task management is reliable again and predictable.
As if that weren't enough, a crash that occurred when checking multiple accounts for new mail has been identified and fixed—a frustrating situation if you manage multiple mailboxes. Also, when deleting or separating multiple attachments at once, the confirmation box would only list the first one; now the confirmation accurately reflects the entire list, providing clarity on potentially destructive actions.
One more usability note: it's now possible to copy text from certain error alerts that weren't previously allowed. It seems like a minor detail, but when you're diagnosing, being able to copy the exact message greatly speeds up the search for solutions or the reporting of incidents.
Security: The Case of CVE-2025-11721
Among the most critical fixes is one that addresses a memory safety issue identified as CVE-2025-11721, which affected Firefox and Thunderbird prior to versions 144. This flaw showed signs of memory corruption and, with sufficient effort by an attacker, could lead to arbitrary code execution. In practical terms, a remote attacker could take control of the process if it managed to get the user to visit a malicious website or open a specially manipulated email.
The nature of the vulnerability points to classic memory management errors such as buffer overflows or use-after-free conditions. Although no public exploits have been observed in the wild, the fact that memory corruption exists implies a high risk. Any user with Firefox 143 or earlier and Thunderbird 143 or earlier was exposed, affecting confidentiality, integrity and availability of the system. Since there is no published CVSS score at that time, the analysis must be based on potential impact and exploitability.
The patch that neutralizes CVE-2025-11721 arrived with versions 144 of both products, so updating is no longer recommended but urgent. In a European context, organizations in sectors such as public administration, finance, healthcare, and critical infrastructure are especially sensitive due to the value of their data. Attacks could range from the theft of information and espionage to the implantation of malware or the disruption of operations, with potential regulatory consequences under frameworks such as the GDPR.
Exposure is broad due to the widespread adoption of these products and the minimal user interaction required. The good news is that there is no evidence of active exploitation, which opens a window for proactive mitigation. Among the European countries most affected by their user base are Germany, France, the United Kingdom, the Netherlands, Italy, Spain, and Sweden. the risk perimeter is considerable and requires immediate attention.
Mitigation recommendations
- Immediately update to Thunderbird 144 or later and, if applicable, to Firefox 144 or later. This applies the CVE-2025-11721 patch and reduces the attack surface.
- Harden the endpoint with application whitelists and EDR solutions that detect and block anomalous behavior in email and browser processes; the goal is stop malicious execution even if someone clicks where they shouldn't.
- Implements web filtering and email scanning at the network level to cut off URLs and payloads that could trigger the vulnerability. With two layers of defense, increases resilience.
- Train users to be cautious about unexpected links and attachments. Even if the interaction required is low, awareness reduces risk.
- Schedule vulnerability assessments and penetration tests focused on clients and browsers, in order to detect and remediate weak points before others exploit them.
- Keep backups and incident response plans ready to activate. The ability to recover quickly mitigates the impact if something goes wrong.
- Monitor threat intelligence sources to identify exploit attempts related to CVE-2025-11721 and react quickly. This monitoring allows preventive actions on time.
Plugin compatibility and release cycle
Thunderbird has adopted a monthly release cycle that delivers features and interface changes as they become available. This means regularly checking the compatibility of your extensions. To make this easier, you can install the Compatibility Check add-on, which helps you check if your accessories are ready for this cadence.
Some users may have seen a false incompatibility warning after updating to v142 or higher. This warning was due to cached compatibility information not always being refreshed properly. In fact, FiltaQuilla was already fully compatible with Thunderbird 144 despite the warning. A Bugzilla report with ID 1986027 was opened to follow up on the issue.
Speaking of FiltaQuilla, the add-on has followed its own path of improvements. Its recent changelog highlights support for Thunderbird branch 145, new localizations for French, Japanese, Italian, and Spanish, and the conversion of the settings dialog to HTML. Additionally, a toolbar button has been added for convenient access to settings, with the option to remove it from the toolbar customization menu if you don't need to always have it on hand.
In terms of fixes, FiltaQuilla addressed an issue where some attachments could be saved with incorrect names or formats. A manual fix was added to address a bug in the Messages API, which was returning an incorrectly encoded file name when it should have been decoded. This issue has been reported as Bug 1992976 for resolution within the platform. If you're interested in advanced filter features, the author recommends rating quickFilters, and for those interested in contributing, There are ways to donate or purchase a quickFilters Pro license to support development.
More fixes and usability improvements in Thunderbird 144
Returning to Thunderbird 144, it's worth mentioning other tweaks that have made it into this release. A regression that prevented access to Fastmail CalDAV using application passwords due to a forced switch to OAuth has been resolved; access is now working normally again. Crashes were eliminated in various scenarios, as well as errors that distracted and wasted administrators' time.
Interaction with mailto links has been fine-tuned: Shift-clicking on a Compose message for that address now opens it directly in plain text, a useful practice when ensuring maximum compatibility or following strict policies in an enterprise environment. Plain text editing It may also be a personal preference that is now just a click away.
For those who rely on newsgroup filters, the copy message action has been brought back to life after being broken, making it task automation It's back in its place. And if you're working with Exchange, the occasional disappearance of the Reply All button is history.
Another area that's been strengthened is profile imports. If you saved a profile to the root folder of a zip file, the import failed; with 144, this approach is once again valid, saving you intermediate steps. On the visual side, there are interface and UX tweaks that, while not spectacular, polish details that are noticeable After a few hours of use: consistent views, clearer dialog boxes, and fewer crashes.
Thunderbird Download 144
If you haven't updated yet, you can do so from the official Thunderbird website, where you'll find binaries for 32- and 64-bit systems. You can also update from your package manager or the built-in updater, depending on your platform. Additionally, incremental update packages are available in MAR format to facilitate the transition from previous versions.
As always, it's a good idea to review the release notes for the fine details before deploying to multiple machines, especially if you manage corporate environments. While this release is focused on stability and patches, It is advisable to check compatibility of your key integrations and add-ons, especially if you rely on specific workflows with calendars, NNTP, or encryption.
Beyond the stark list of fixes, the overall picture of Thunderbird 144 is clear: a release focused on closing high-impact vulnerabilities, cleaning up annoying regressions, and strengthening productivity pillars like filtering, composition, and interoperability with servers and certificates. It's a worthwhile upgrade for any user profile, from those who only send four emails a day to those who manage multiple accounts and calendars with demanding integrations.
