Security News > 2022 > March > Mozilla fixes Firefox zero-days exploited in the wild (CVE-2022-26485, CVE-2022-26486)

Mozilla fixes Firefox zero-days exploited in the wild (CVE-2022-26485, CVE-2022-26486)
2022-03-07 10:46

Mozilla has released an out-of-band security update for Firefox, Firefox Focus, and Thunderbird, fixing two critical vulnerabilities exploited by attackers in the wild.

CVE-2022-26485 affects XSLT parameter processing and can be used to achieve remote code execution within the context of the application.

CVE-2022-26486 affects the WebGPU IPC Framework and allows attackers to perform a sandbox escape.

While the number of Firefox users has been steadily declining over the last decade, it is still used by millions of users.

According to Mozilla's user activity statistics, nearly 215 million Firefox desktop clients have been active in the past 28 days.

Firefox releases major updates roughly every 50 days, but if the situation warrants - like in this case - out-of-band security updates are pushed out.


News URL

https://www.helpnetsecurity.com/2022/03/07/cve-2022-26485-cve-2022-26486/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-12-22 CVE-2022-26486 Use After Free vulnerability in Mozilla products
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.
network
low complexity
mozilla CWE-416
critical
9.6
2022-12-22 CVE-2022-26485 Use After Free vulnerability in Mozilla products
Removing an XSLT parameter during processing could have lead to an exploitable use-after-free.
network
low complexity
mozilla CWE-416
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Mozilla 29 13 631 583 266 1493