Security News > 2022 > March > 2 New Mozilla Firefox 0-Day Bugs Under Active Attack — Patch Your Browser ASAP!
Mozilla has pushed out-of-band software updates to its Firefox web browser to contain two high-impact security vulnerabilities, both of which it says are being actively exploited in the wild.
Tracked as CVE-2022-26485 and CVE-2022-26486, the zero-day flaws have been described as use-after-free issues impacting the Extensible Stylesheet Language Transformations parameter processing and the WebGPU inter-process communication Framework.
CVE-2022-26485 - Removing an XSLT parameter during processing could lead to an exploitable use-after-free.
CVE-2022-26486 - An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.
Use-after-free bugs - which could be exploited to corrupt valid data and execute arbitrary code on compromised systems - stem mainly from a "Confusion over which part of the program is responsible for freeing the memory."
In light of active exploitation of the flaws, users are recommended to upgrade as soon as possible to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0, and Thunderbird 91.6.2.
News URL
https://thehackernews.com/2022/03/2-new-mozilla-firefox-0-day-bugs-under.html
Related news
- Browser-in-the-Browser attacks target CS2 players' Steam accounts (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- Mozilla warns Windows users of critical Firefox sandbox escape flaw (source)
- Mozilla Patches Critical Firefox Bug Similar to Chrome’s Recent Zero-Day Vulnerability (source)
- Critical Firefox, Tor Browser sandbox escape flaw fixed (CVE-2025-2857) (source)
- Old Fortinet flaws under attack with new method its patch didn't prevent (source)
- Browser extensions make nearly every employee a potential attack vector (source)
- Three Reasons Why the Browser is Best for Stopping Phishing Attacks (source)
- SonicWall urges admins to patch VPN flaw exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-12-22 | CVE-2022-26486 | Use After Free vulnerability in Mozilla products An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. | 9.6 |
| 2022-12-22 | CVE-2022-26485 | Use After Free vulnerability in Mozilla products Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. | 8.8 |