Zero-Day Vulnerabilities in Firefox

Mozilla has released security updates to address two zero-day vulnerabilities (CVE-2022-26485 and CVE-2022-26486) affecting Firefox. There are reports of targeted attacks exploiting these vulnerabilities. The vulnerabilities are listed as critical.

The vulnerabilities are:

CVE-2022-26485 - The vulnerability exists due to a use-after-free error when processing XSLT parameter. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the victim’s system.

CVE-2022-26486 - The vulnerability exists due to a use-after-free error when processing messages in the WebGPU IPC Framework. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the victim’s system.

These vulnerabilities affect versions prior to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0.

Users of affected products are advised to install the latest security updates immediately. All users are also encouraged to enable the automatic update function to ensure software updates are performed promptly.

More information is available here:

https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/

https://nakedsecurity.sophos.com/2022/03/05/firefox-patches-two-in-the-wild-exploits-update-now/