Security researcher Atte Kettunen from OUSPG reported an out of bounds read during the decoding of WAV format audio files for playback. This could allow web content access to heap data as well as causing a crash.
In general this flaw cannot be exploited through email in the Thunderbird and Seamonkey products because audio is disabled, but is potentially a risk in browser or browser-like contexts.