Critical Firefox Zero-Day Bugs Allow RCE, Sandbox Escape

2022-03-07 16:19

Mozilla has released an emergency update for its Firefox browser that addresses two critical security vulnerabilities that cybercriminals have actively exploited in the wild as zero days.

The first bug addressed by Mozilla, CVE-2022-26485, is a use-after-free problem in the browser's XSLT parameter processing.

"Removing an XSLT parameter during processing could have led to an exploitable use-after-free," according to Mozilla's advisory over the weekend.

"An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape," according to Mozilla.

The second is being used for sandbox escape, as noted by Mozilla.

"This sort of security hole can typically be abused on its own, or in combination with an RCE bug to allow implanted malware to escape from the security confines imposed by your browser, thus making an already bad situation even worse," Ducklin noted in a Saturday overview.

News URL

https://threatpost.com/firefox-zero-day-bugs-rce-sandbox-escape/178779/

#critical #firefox #RCE #sandbox #zeroday #CVE-2022-26485

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2022-12-22	CVE-2022-26485	Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. network low complexity CWE-416	8.8

News URL

Related news

Related Vulnerability