Select Page

Mozilla has pushed out-of-band software updates to its Firefox web browser to contain two high-impact security vulnerabilities, both of which it says are being actively exploited in the wild.

Tracked as CVE-2022-26485 and CVE-2022-26486, the zero-day flaws have been described as use-after-free issues impacting the Extensible Stylesheet Language Transformations (XSLT) parameter processing and the WebGPU inter-process communication (IPC) Framework.

XSLT is an XML-based language used for the conversion of XML documents into web pages or PDF documents, whereas WebGPU is an emerging web standard that’s been billed as a successor to the current WebGL JavaScript graphics library.

The description of the two flaws is below –

  • CVE-2022-26485 – Removing an XSLT parameter during processing could lead to an exploitable use-after-free
  • CVE-2022-26486 – An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape

images from Hacker News