CVE-2022-26485 in Canonical and Mozilla Products
Published on December 22, 2022

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This Mozilla Firefox Use-After-Free Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Mozilla Firefox contains a use-after-free vulnerability in XSLT parameter processing which can be exploited to perform arbitrary code execution.

The following remediation steps are recommended / required by March 21, 2022: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2022-26485 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

What is a Dangling pointer Vulnerability?

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CVE-2022-26485 has been classified to as a Dangling pointer vulnerability or weakness.

Products Associated with CVE-2022-26485

You can be notified by stack.watch whenever vulnerabilities like CVE-2022-26485 are published in these products:

Canonical Ubuntu Linux

Mozilla Firefox Focus

Mozilla Firefox

Mozilla FireFox Extended Support Release (ESR)

Mozilla Thunderbird

What versions are vulnerable to CVE-2022-26485?