Mozilla Releases Security Update for Firefox and Firefox ESR

Scheduled update for Firefox fixes actively exploited zero-day vulnerabilities

Threat ID:: CC-4048
Threat Severity:: Medium
Published:: 8 March 2022 3:15 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Scheduled update for Firefox fixes actively exploited zero-day vulnerabilities

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 97.0.2, for Android - all prior to 97.3.0

Mozilla Firefox

Versions: all prior to 91.6.1

Mozilla Firefox ESR

Threat details

Introduction

Mozilla has released updates for Firefox, Firefox for Android, and Firefox ESR to address two critical vulnerabilities. CVE-2022-26485, a use-after-free in XSLT parameter processing vulnerability, could lead to corruption of valid data, arbitrary code execution, and system crashes. CVE-2022-26486, a use-after-free issue in the WebGPU IPC Framework, could allow an exploitable sandbox escape.

Both of these vulnerabilities are being exploited in the wild and could be used by an attacker to take control of an affected system. CISA have added these zero-day vulnerabilities to their Known Exploited Vulnerabilities Catalog.

Remediation advice

Affected organisations are encouraged to review the Mozilla Foundation Security Advisory 2022-09 and apply the necessary updates.

Definitive source of threat updates

CVE Vulnerabilities

Status Reserved

CVE-2022-26485

Status Reserved

CVE-2022-26486

Last edited: 8 March 2022 3:15 pm