CVE-2022-26485

CVSS 8.8 HIGHEPSS 14.3%● KEVCWE-416

In short

A flaw in XSLT parameter handling allowed attackers to exploit a use-after-free vulnerability, potentially crashing the browser or executing malicious code. This bug affected multiple Firefox products and was actively exploited in real attacks.

Technical detail

Use-after-free vulnerability (CWE-416) in XSLT parameter processing where improper memory management during parameter removal could be leveraged for arbitrary code execution. Remote attack vector requiring user interaction (opening malicious content); impacts Firefox, Firefox ESR, Firefox Android, Thunderbird, and Focus versions prior to specified patches.

Summary generated and translated by AI from the official description.

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Mozilla · Firefox Mozilla · Firefox ESR Mozilla · Firefox for Android Mozilla · Focus Mozilla · Thunderbird

public PoCs found — 1

githubgithub.com/mistymntncop/CVE-2022-26485★ 17

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1758062 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26485 https://www.mozilla.org/security/advisories/mfsa2022-09/