Security News > 2022 > March > Critical Firefox Zero-Day Bugs Allow RCE, Sandbox Escape
Mozilla has released an emergency update for its Firefox browser that addresses two critical security vulnerabilities that cybercriminals have actively exploited in the wild as zero days.
The first bug addressed by Mozilla, CVE-2022-26485, is a use-after-free problem in the browser's XSLT parameter processing.
"Removing an XSLT parameter during processing could have led to an exploitable use-after-free," according to Mozilla's advisory over the weekend.
"An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape," according to Mozilla.
The second is being used for sandbox escape, as noted by Mozilla.
"This sort of security hole can typically be abused on its own, or in combination with an RCE bug to allow implanted malware to escape from the security confines imposed by your browser, thus making an already bad situation even worse," Ducklin noted in a Saturday overview.
News URL
https://threatpost.com/firefox-zero-day-bugs-rce-sandbox-escape/178779/
Related news
- Mozilla warns Windows users of critical Firefox sandbox escape flaw (source)
- Mozilla Patches Critical Firefox Bug Similar to Chrome’s Recent Zero-Day Vulnerability (source)
- Critical Firefox, Tor Browser sandbox escape flaw fixed (CVE-2025-2857) (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
- Google fixes exploited Chrome sandbox bypass zero-day (CVE-2025-2783) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-12-22 | CVE-2022-26485 | Use After Free vulnerability in Mozilla products Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. | 8.8 |