Security News > 2022 > March > Mozilla fixes Firefox zero-days exploited in the wild (CVE-2022-26485, CVE-2022-26486)
Mozilla has released an out-of-band security update for Firefox, Firefox Focus, and Thunderbird, fixing two critical vulnerabilities exploited by attackers in the wild.
CVE-2022-26485 affects XSLT parameter processing and can be used to achieve remote code execution within the context of the application.
CVE-2022-26486 affects the WebGPU IPC Framework and allows attackers to perform a sandbox escape.
While the number of Firefox users has been steadily declining over the last decade, it is still used by millions of users.
According to Mozilla's user activity statistics, nearly 215 million Firefox desktop clients have been active in the past 28 days.
Firefox releases major updates roughly every 50 days, but if the situation warrants - like in this case - out-of-band security updates are pushed out.
News URL
https://www.helpnetsecurity.com/2022/03/07/cve-2022-26485-cve-2022-26486/
Related news
- Mozilla fixes Firefox zero-day actively exploited in attacks (source)
- Firefox Zero-Day Under Attack: Update Your Browser Immediately (source)
- Mozilla patches critical Firefox vuln that attackers are already exploiting (source)
- Actively exploited Firefox zero-day fixed, update ASAP! (CVE-2024-9680) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-12-22 | CVE-2022-26486 | Use After Free vulnerability in Mozilla products An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. | 9.6 |
| 2022-12-22 | CVE-2022-26485 | Use After Free vulnerability in Mozilla products Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. | 8.8 |