Mozilla Foundation Security Advisory 2022-09

Security Vulnerabilities fixed in Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0

Announced
March 5, 2022
Impact
high
Products
Firefox, Firefox ESR, Firefox for Android, Focus, Thunderbird
Fixed in
  • Firefox 97.0.2
  • Firefox ESR 91.6.1
  • Firefox for Android 97.3
  • Focus 97.3
  • Thunderbird 91.6.2

#CVE-2022-26485: Use-after-free in XSLT parameter processing

Reporter
Wang Gang, Liu Jialei, Du Sihang, Huang Yi & Yang Kang of 360 ATA
Impact
critical
Description

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw.

References

#CVE-2022-26486: Use-after-free in WebGPU IPC Framework

Reporter
Wang Gang, Liu Jialei, Du Sihang, Huang Yi & Yang Kang of 360 ATA
Impact
critical
Description

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw.

References