2 New Mozilla Firefox 0-Day Bugs Under Active Attack — Patch Your Browser ASAP!

2022-03-07 19:33

Mozilla has pushed out-of-band software updates to its Firefox web browser to contain two high-impact security vulnerabilities, both of which it says are being actively exploited in the wild.

Tracked as CVE-2022-26485 and CVE-2022-26486, the zero-day flaws have been described as use-after-free issues impacting the Extensible Stylesheet Language Transformations parameter processing and the WebGPU inter-process communication Framework.

CVE-2022-26485 - Removing an XSLT parameter during processing could lead to an exploitable use-after-free.

CVE-2022-26486 - An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.

Use-after-free bugs - which could be exploited to corrupt valid data and execute arbitrary code on compromised systems - stem mainly from a "Confusion over which part of the program is responsible for freeing the memory."

In light of active exploitation of the flaws, users are recommended to upgrade as soon as possible to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0, and Thunderbird 91.6.2.

News URL

https://thehackernews.com/2022/03/2-new-mozilla-firefox-0-day-bugs-under.html

#0day #attack #browser #firefox #mozilla #patch #CVE-2022-26486 #CVE-2022-26485

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2022-12-22	CVE-2022-26486	An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. network low complexity CWE-416 critical	9.6
2022-12-22	CVE-2022-26485	Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. network low complexity CWE-416	8.8

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Mozilla		37	103	1360	531	429	2423

News URL

Related news

Related Vulnerability

Related vendor