The Mozilla team announced the release of Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 fixing two critical zero-day vulnerabilities that are currently being exploited. It is caused by “use-after-free bugs that try to use previously cleared memory. When exploited, the bug can cause programs to crash and execute commands without permission.
The vulnerabilities are considered critical because they can allow a third party to execute a command, which can cause downloading malware to take over the device. The company stated that they were aware of these vulnerabilities being actively exploited in the wild, thus the company didn’t share detailed information about the methods that are being used.
The vulnerabilities were discovered and reported to Mozilla by Chinese cybersecurity company Qihoo 360 ATA. The company urged all users to apply the patch as soon as possible.
CVE-2022-26485: Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw.
CVE-2022-26486: An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw.