Mozilla fixes two actively exploited vulnerabilities in Firefox with patch

Spread the love

Mozilla fixes two vulnerabilities in Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3, Focus 97.3 and Thunderbird 91.6.2. Mozilla knows those vulnerabilities have been actively exploited and calls them “critical.”

The patch for the various Firefox browsers was released by Mozilla on Saturday and has been available for download ever since. The zerodays are both use-after-free vulnerabilities, one in XSLT parameter processing, the other in the WebGPU IPC framework. Such a vulnerability causes a program to attempt to use memory that has been freed up. If a malicious person exploits that vulnerability, the program crashes and code can be executed on a device without permission, Bleeping Computer explains.

The two vulnerabilities are serious, Mozilla writes. According to the company, both vulnerabilities have been exploited ‘in the wild’. The vulnerabilities have been assigned the CVE codes CVE-2022-26485 and CVE-2022-26486. The discovery of the vulnerabilities has been attributed by Mozilla to researchers at the Chinese security company Qihoo 360 ATA. Mozilla and Qihoo 360 ATA did not provide more details about how the vulnerabilities were exploited. It is not often that a zero day is found in Mozilla code.

You might also like
Exit mobile version