CVE-2022-26485

Summary

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefoxunspecified < 97.0.2affected
MozillaFirefox ESRunspecified < 91.6.1affected
MozillaFirefox for Androidunspecified < 97.3.0affected
MozillaThunderbirdunspecified < 91.6.2affected
MozillaFocusunspecified < 97.3.0affected

Weaknesses

  • Use-after-free in XSLT parameter processing

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: no
    • Technical Impact: total

Additional References

References