CVE-2022-26486

Summary

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefoxunspecified < 97.0.2affected
MozillaFirefox ESRunspecified < 91.6.1affected
MozillaFirefox for Androidunspecified < 97.3.0affected
MozillaThunderbirdunspecified < 91.6.2affected
MozillaFocusunspecified < 97.3.0affected

Weaknesses

  • Use-after-free in WebGPU IPC Framework

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: no
    • Technical Impact: total

Additional References

References