Mozilla released new versions for their product in response to two zero-day vulnerabilities. Both CVE-2022-26485 and CVE-2022-26486 are being actively exploited.
- CVE-2022-26485 - Removing an XSLT parameter during processing could lead to an exploitable use-after-free.
- CVE-2022-26486 - An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.
To fix these vulnerabilities, Firefox 97.0.2 and Firefox ESR 91.6.1 have been released only a few days before Firefox 98 is scheduled to go live. Evidence enough that this out-of-band update is critical and should be installed as soon as possible.