With Thunderbird version 136 for Windows, macOS, and Linux, Mozilla is officially launching a new desktop release channel, which will now be the standard deployment channel for updates.
As with Mozilla’s Firefox browser, there will be monthly updates that include new features and improvements along with bug fixes and closed security flaws. Thunderbird’s current version number will correspond to Firefox’s current version number.
In Thunderbird 136, the developers have eliminated at least 11 security vulnerabilities, which are documented in Mozilla’s 2025-17 Security Advisory, of which four vulnerabilities are reported as “high” risk. Thunderbird inherits most of the vulnerabilities in Firefox’s code, but since script execution is disabled when reading emails, it’s very unlikely for most vulnerabilities to be exploitable in Thunderbird.
Switching to the new release channel
Mozilla wants to encourage as many Thunderbird users as possible to switch to the new release channel. New users are offered this channel as the default download, and anyone who wants to use the previous Thunderbird ESR version must look for it specifically.
If you’re an ESR user who wants to switch to the new release channel, you must first download the Thunderbird 136 installer. Before you install it, make sure to save your user profile in case something goes wrong. (It probably won’t, though.) Then, install Thunderbird 136 in the same directory as your existing Thunderbird version.
Thunderbird ESR will continue to exist
The current long-term version is Thunderbird 128 ESR (Extended Service Release) and it’ll continue to get security updates until September 2025. At that point, ESR releases will continue with Thunderbird 140 ESR.
The ESR channel for more conservative users, including companies and public authorities, who prioritize stability over new features and improvements. Thunderbird ESR releases get monthly security updates, and the version numbers follow Firefox ESR.
In the latest update for Thunderbird 128 ERS (versino 128.8.0esr), the developers have closed at least 10 security vulnerabilities. Mozilla classifies one of them as “critical”: CVE-2024-43097 is caused by an integer overflow in the open-source 2D graphics library Skia. The other fixed flaws are largely the same as in Thunderbird 136.
End of support for old desktop PCs
Unlike Firefox, there is no legacy Thunderbird version for Windows 7 and 8.1 or macOS 10.12 to 10.14 with up-to-date security updates. Thunderbird 115.18.0esr from December 2024 is officially the last version still supported on those older operating systems.
Then there’s Thunderbird Mobile, which has been available since November 2024. Mozilla acquired the open-source K-9 Mail app and its two main developers in 2023. Since then, they’ve been working on transforming K-9 Mail into Thunderbird Mobile.
You can switch from K-9 to Thunderbird Mobile, but there are no plans to allow switching in the opposite direction. The current version is Thunderbird Mobile 9.0 released in March 2025. While Thunderbird Mobile is currently for Android only, an iOS version is planned.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.
