Mozilla released out-of-band software program updates to its Firefox web browser to address two serious security vulnerabilities, both of which Mozilla claims are being exploited in the wild.
CVE-2022-26485 and CVE-2022-26486, the zero-working day flaws, have been explained as use-after-free issues affecting the XSLT parameter processing and the WebGPU inter-process communication (IPC) framework.
The description of the two flaws is down below –
- CVE-2022-26485 – Taking away an XSLT parameter for the duration of the processing could guide to an exploitable use-after-cost-free
- CVE-2022-26486 – An unpredicted information in the WebGPU IPC framework could guide to a use-just after-free of charge and exploitable sandbox escape
The use-after-free bugs – that can corrupt valid information and execute arbitrary code on compromised units – primarily arise from a “confusion regarding which component of the software is responsible for releasing memory.”.
Mozilla acknowledged that “we have observed attacks in the wild” exploiting the two vulnerabilities but did not provide any details about the intrusions or the identities of the malicious actors exploiting them.
The flaws were discovered and reported by security scientists Wang Gang, Liu Jialei, Du Sihang, Huang Yi, and Yang Kang of Qihoo 360 ATA.
Due to the active exploitation of the flaws, users are advised to upgrade as soon as possible to Firefox 97.2.2, Firefox ESR 91.6.1, Firefox for Android 97.3, Aim 97.3, and Thunderbird 91.6.2.