New Firefox 97 0-Day Actively Exploited

⚡ TL;DR | Go Straight to the Firefox 97 0-day Report

Mozilla released new versions for their product in response to two zero-day vulnerabilities. Both CVE-2022-26485 and CVE-2022-26486 are being actively exploited.

  • CVE-2022-26485 - Removing an XSLT parameter during processing could lead to an exploitable use-after-free.
  • CVE-2022-26486 - An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.

To fix these vulnerabilities, Firefox 97.0.2 and Firefox ESR 91.6.1 have been released only a few days before Firefox 98 is scheduled to go live. Evidence enough that this out-of-band update is critical and should be installed as soon as possible.

The two vulnerabilities are related to XSLT and WebGPU. XSLT is an XML-type language designed to convert XML documents into PDF or HTML pages. WebGPU is the spiritual successor to WebGL JavaScript. Both the issues in these components can lead to a use-after-free vulnerability, which means the incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.

You may also like...

Try Lansweeper for Free

Learn why Lansweeper is used by thousands of enterprises worldwide.​