Two new zero-day bugs in Mozilla Firefox are being actively exploited

According to the Mozilla Corporation, the company has released out-of-band software updates for its Firefox web browser to address two high-impact security vulnerabilities, both of which are being actively exploited in the wild.

Mozilla Firefox or Firefox is a free and open-source web browser developed by Mozilla Corporation.

The zero-day bugs, dubbed CVE-2022-26485 and CVE-2022-26486, are described as use-after-free issues that affect the parameter processing of the Extensible Stylesheet Language Transformations (XSLT) and the WebGPU Inter-Process Communication (IPC) Framework.

The following is a description of the two vulnerabilities:

• CVE-2022-26485: During processing, removing an XSLT parameter could result in an exploitable use-after-free situation.
• CVE-2022-26486: A use-after-free and exploitable sandbox escape could be enabled by an unexpected message in the WebGPU IPC framework.

Mozilla stated that “We have had reports of attacks in the wild” that exploited the two flaws, but it did not provide any technical details about the incursions or the names of the hostile actors that used them. Qihoo 360 ATA security researchers Wang Gang, Liu Jialei, Du Sihang, Huang Yi, and Yang Kang are credited for finding and reporting the vulnerabilities.

According to the company, users should upgrade to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Thunderbird 91.5.2 as soon as possible.