Use-After-Free Vulnerability in Mozilla Products
CVE-2022-26486

9.6CRITICAL

Key Information:

Vendor: Mozilla
Status: Firefox; Firefox Esr; Firefox For Android; Thunderbird
Vendor: CVE Published:; 22 December 2022

Badges

👾 Exploit Exists🦅 CISA Reported

What is CVE-2022-26486?

A flaw within the WebGPU IPC framework in Mozilla products can cause unexpected message handling leading to a use-after-free situation. This vulnerability has been reported to result in exploitable sandbox escapes, raising concerns as it potentially allows attackers to execute malicious code outside the intended security boundaries. Users of affected versions of Firefox, Thunderbird, and other Mozilla products should update to the latest versions to mitigate this risk.

CISA has reported CVE-2022-26486

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2022-26486 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply updates per vendor instructions.

Affected Version(s)

Firefox < 97.0.2

Firefox ESR < 91.6.1

Firefox for Android < 97.3.0

References

https://www.mozilla.org/security/advisories/mfsa2022-09/

https://bugzilla.mozilla.org/show_bug.cgi?id=1758070

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 22, 2022
👾
Exploit known to exist
Mar 7, 2022
🦅
CISA Reported
Mar 7, 2022
Vulnerability Reserved
Mar 4, 2022