Security News > 2022 > March > Mozilla fixes Firefox zero-days exploited in the wild (CVE-2022-26485, CVE-2022-26486)
Mozilla has released an out-of-band security update for Firefox, Firefox Focus, and Thunderbird, fixing two critical vulnerabilities exploited by attackers in the wild.
CVE-2022-26485 affects XSLT parameter processing and can be used to achieve remote code execution within the context of the application.
CVE-2022-26486 affects the WebGPU IPC Framework and allows attackers to perform a sandbox escape.
While the number of Firefox users has been steadily declining over the last decade, it is still used by millions of users.
According to Mozilla's user activity statistics, nearly 215 million Firefox desktop clients have been active in the past 28 days.
Firefox releases major updates roughly every 50 days, but if the situation warrants - like in this case - out-of-band security updates are pushed out.
News URL
https://www.helpnetsecurity.com/2022/03/07/cve-2022-26485-cve-2022-26486/
Related news
- RomCom hackers chained Firefox and Windows zero-days to deliver backdoor (source)
- RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks (source)
- Firefox and Windows zero-days exploited by Russian RomCom hackers (source)
- Mozilla really wants you to easily set Firefox as default Windows browser (source)
- Mozilla really wants you to set Firefox as default Windows browser (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-12-22 | CVE-2022-26486 | Use After Free vulnerability in Mozilla products An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. | 9.6 |
2022-12-22 | CVE-2022-26485 | Use After Free vulnerability in Mozilla products Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. | 8.8 |