CVE-2022-26387

Summary

When installing an add-on, Firefox verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Firefox would not have noticed. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefoxunspecified < 98affected
MozillaFirefox ESRunspecified < 91.7affected
MozillaThunderbirdunspecified < 91.7affected

Weaknesses

  • Time-of-check time-of-use bug when verifying add-on signatures

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References