The Mozilla Foundation has patched two Critical vulnerabilities in Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0.
An attacker could exploit these vulnerabilities to take control of impacted systems.
As part of Mozilla Foundation Security Advisory 2022-09, the Firefox updates fixed two Critical severity vulnerabilities:
- CVE-2022-26485: Use-after-free in XSLT parameter processing
- CVE-2022-26486: Use-after-free in WebGPU IPC Framework.
Each of these issues could lead to an exploitable use-after-free condition. The second flaw can also result in an exploitable sandbox escape.
“We have had reports of attacks in the wild abusing this flaw,” Mozilla warned in the advisory.