Two out-of-band updates were just released to address a couple of zero-day vulnerabilities in Mozilla Firefox.
Mozilla says that both vulnerabilities are being actively exploited in the wild, meaning that patching should be done as soon as possible. Due to their characteristics, the vulnerabilities have been rated as critical, and their impact as high.
The two zero-days, CVE-2022-26485 and CVE-2022-26486, stem from use-after-free issues that affect the Extensible Stylesheet Language Transformations (XSLT) parameter processing, as well as the WebGPU inter-process communication framework (IPC).
The zero-day has been described as “Use-after-free in XSLT parameter processing”. It was discovered by Qihoo 360 ATA researchers (Wang Gang, Liu Jialei, Du Sihang, Huang Yi, and Yang Kang), who say that removing an XSLT parameter during processing could have led to an exploitable use-after-free. There are reports of attacks-in-the-wild exploiting the flaw.
This is a Use-after-free in WebGPU IPC Framework issue, also discovered by the same researchers. “An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape,” its description says.
Since both vulnerabilities have been weaponized by attackers in the wild, it is highly recommended to upgrade immediately to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0, and Thunderbird 91.6.2.
Learn more about previous critical vulnerabilities in Firefox.