Mozilla addresses two actively exploited zero-day flaws in Firefox

Mozilla fixed two critical actively exploited zero-day bugs in Firefox with the release of 97.0.2, ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0.

Mozilla has released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to address a couple of critical zero-day vulnerabilities, tracked as CVE-2022-26485 and CVE-2022-26485, actively exploited in attacks.

The two vulnerabilities are “Use-after-free” issues in XSLT parameter processing and in the WebGPU IPC Framework respectively.

Successful exploitation of the flaws can cause a program crash or execute arbitrary commands on the machine.

Below is the description of both flaws included in the advisory published by Mozilla:

• CVE-2022-26485: Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw.
• CVE-2022-26486: An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.

“We have had reports of attacks in the wild abusing this flaw.” reads the advisory for both issues.

Mozilla hasn’t shared details about the attacks.

These vulnerabilities were reported by security researchers from the Chinese cybersecurity firm Qihoo 360 ATA.

Users are commended to install security updates immediately.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Mozilla)

[adrotate banner=”5″]

[adrotate banner=”13″]