Mozilla fixes Firefox zero-days exploited in the wild (CVE-2022-26485, CVE-2022-26486)

2022-03-07 10:46

Mozilla has released an out-of-band security update for Firefox, Firefox Focus, and Thunderbird, fixing two critical vulnerabilities exploited by attackers in the wild.

CVE-2022-26485 affects XSLT parameter processing and can be used to achieve remote code execution within the context of the application.

CVE-2022-26486 affects the WebGPU IPC Framework and allows attackers to perform a sandbox escape.

While the number of Firefox users has been steadily declining over the last decade, it is still used by millions of users.

According to Mozilla's user activity statistics, nearly 215 million Firefox desktop clients have been active in the past 28 days.

Firefox releases major updates roughly every 50 days, but if the situation warrants - like in this case - out-of-band security updates are pushed out.

News URL

https://www.helpnetsecurity.com/2022/03/07/cve-2022-26485-cve-2022-26486/

#firefox #mozilla #zeroday #CVE-2022-26485 #CVE-2022-26486

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2022-12-22	CVE-2022-26486	An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. network low complexity CWE-416 critical	9.6
2022-12-22	CVE-2022-26485	Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. network low complexity CWE-416	8.8

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Mozilla		37	104	1471	525	562	2662

News URL

Related news

Related Vulnerability

Related vendor