You are currently viewing Mozilla Fixes Two Actively Exploited Zero-Days in Firefox and Thunderbird

Mozilla Fixes Two Actively Exploited Zero-Days in Firefox and Thunderbird

Mozilla has released an out-of-band security update for Firefox, Firefox ESR, Firefox Focus, Firefox for Android, and Thunderbird, fixing two critical vulnerabilities (CVE-2022-26485, CVE-2022-26486). Mozilla is aware of the active exploitation of these vulnerabilities. Furthermore, when a patch is released, a vulnerability management tool can quickly mitigate the vulnerability. Therefore, a Vulnerability Management Software can prevent these attacks.

The zero-day vulnerabilities fixed by Mozilla are:

  • CVE-2022-26485: Removing an XSLT parameter will trigger this during processing, resulting in an exploitable use-after-free. In the Extensible Markup Language (XML), the <xsl: param> element is used to declare a local or global parameter. XML is a markup language like HTML, designed for storing and using data. The zero-day vulnerability CVE-2022-26485 exploits the XSLT <xsl: param> and <xsl:with-param> elements to pass parameters to a template.
  • CVE-2022-26486: Attackers exploit this vulnerability by sending an unexpected message in the WebGPU IPC framework, which leads to a use-after-free scenario and enables a sandbox escape using them. WebGPU exposes an API for making operations such as rendering and computation on a Graphics Processing Unit. Moreover, interprocess communication (IPC) refers to the mechanisms an operating system provides to allow the processes to manage shared data. WebGPU sees physical Graphics Processing Units (GPU) hardware as GPU adapters.
  • It provides a connection that contains resources, and the device’s GPUQueues, which execute commands. The idea of browser sandboxes is to shield the system from malware attacking the browser. They do this by containing bad code from visiting a website in the sandbox part of the browser. The ability to bypass the application’s security sandbox is valuable to an attacker because it can be coupled with other vulnerabilities to take over the target system, so they likely used these two vulnerabilities together in online attacks since the same researchers reported them. This CVE, along with CVE-2022-26485, must be patched immediately.


Lastly, the use-after-free vulnerabilities will cause two zero-day attacks. These vulnerabilities release memory after representing it (CWE-416). It is possible to exploit this vulnerability to corrupt memory and launch denial-of-service or remote code execution attacks. Depending on the privileges of the targeted user, an attacker can install programs, view, change, or delete data or create new accounts with full user rights. This is how Mozilla fixed the two critical vulnerabilities (CVE-2022-26485, CVE-2022-26486).

As Mozilla's security advisory explains, the Firefox developers are aware of "reports of attacks in the wild" actively exploiting these vulnerabilities.

Affected products

  • Mozilla Firefox: 9.0.1 – 97.0.1
  • Firefox ESR: 91.0 – 91.6.0, 78.0 – 78.15.0
  • Firefox for Android: 79.0.0 – 97.2.0
  • Firefox Focus before 97.3
  • Thunderbird before 91.6.2


Successful vulnerability exploitation may allow an attacker to compromise the vulnerable system.


Please refer to this KB Article to apply the patches using SanerNow.

SanerNow VM and SanerNow PM detect and automatically fix these vulnerabilities by applying security updates. Use SanerNow and keep your systems updated and secure.

Share this article