Security News > 2022 > March > 2 New Mozilla Firefox 0-Day Bugs Under Active Attack — Patch Your Browser ASAP!

2 New Mozilla Firefox 0-Day Bugs Under Active Attack — Patch Your Browser ASAP!
2022-03-07 19:33

Mozilla has pushed out-of-band software updates to its Firefox web browser to contain two high-impact security vulnerabilities, both of which it says are being actively exploited in the wild.

Tracked as CVE-2022-26485 and CVE-2022-26486, the zero-day flaws have been described as use-after-free issues impacting the Extensible Stylesheet Language Transformations parameter processing and the WebGPU inter-process communication Framework.

CVE-2022-26485 - Removing an XSLT parameter during processing could lead to an exploitable use-after-free.

CVE-2022-26486 - An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.

Use-after-free bugs - which could be exploited to corrupt valid data and execute arbitrary code on compromised systems - stem mainly from a "Confusion over which part of the program is responsible for freeing the memory."

In light of active exploitation of the flaws, users are recommended to upgrade as soon as possible to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0, and Thunderbird 91.6.2.


News URL

https://thehackernews.com/2022/03/2-new-mozilla-firefox-0-day-bugs-under.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-12-22 CVE-2022-26486 Use After Free vulnerability in Mozilla products
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.
network
low complexity
mozilla CWE-416
critical
9.6
2022-12-22 CVE-2022-26485 Use After Free vulnerability in Mozilla products
Removing an XSLT parameter during processing could have lead to an exploitable use-after-free.
network
low complexity
mozilla CWE-416
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Mozilla 29 13 633 583 266 1495