⚡ TL;DR | Go Straight to the Firefox 97 0-day Report
Mozilla released new versions for their product in response to two zero-day vulnerabilities. Both CVE-2022-26485 and CVE-2022-26486 are being actively exploited.
- CVE-2022-26485 – Removing an XSLT parameter during processing could lead to an exploitable use-after-free.
- CVE-2022-26486 – An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.
To fix these vulnerabilities, Firefox 97.0.2 and Firefox ESR 91.6.1 have been released only a few days before Firefox 98 is scheduled to go live. Evidence enough that this out-of-band update is critical and should be installed as soon as possible.
The two vulnerabilities are related to XSLT and WebGPU. XSLT is an XML-type language designed to convert XML documents into PDF or HTML pages. WebGPU is the spiritual successor to WebGL JavaScript. Both the issues in these components can lead to a use-after-free vulnerability, which means the incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.
