Two out-of-band updates were just released to address a couple of zero-day vulnerabilities in Mozilla Firefox.
Mozilla says that both vulnerabilities are being actively exploited in the wild, meaning that patching should be done as soon as possible. Due to their characteristics, the vulnerabilities have been rated as critical, and their impact as high.
The two zero-days, CVE-2022-26485 and CVE-2022-26486, stem from use-after-free issues that affect the Extensible Stylesheet Language Transformations (XSLT) parameter processing, as well as the WebGPU inter-process communication framework (IPC).
CVE-2022-26485
The zero-day has been described as “Use-after-free in XSLT parameter processing”. It was discovered by Qihoo 360 ATA researchers (Wang Gang, Liu Jialei, Du Sihang, Huang Yi, and Yang Kang), who say that removing an XSLT parameter during processing could have led to an exploitable use-after-free. There are reports of attacks-in-the-wild exploiting the flaw.
CVE-2022-26486
This is a Use-after-free in WebGPU IPC Framework issue, also discovered by the same researchers. “An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape,” its description says.
Since both vulnerabilities have been weaponized by attackers in the wild, it is highly recommended to upgrade immediately to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0, and Thunderbird 91.6.2.
Learn more about previous critical vulnerabilities in Firefox.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: