Critical Firefox Zero-Day Bugs Allow RCE, Sandbox Escape

Both vulnerabilities are use-after-free issues in Mozilla’s popular web browser.

Mozilla has released an emergency update for its Firefox browser that addresses two critical security vulnerabilities that cybercriminals have actively exploited in the wild as zero days.

Both are use-after-free bugs, which are memory-corruption issues that occur when an application continues to try to use a chunk of memory that was assigned to it, after said chunk was freed up for use by a different application. This kind of problem can lead to remote code execution (RCE), data corruption and system crashes.

The first bug addressed by Mozilla, CVE-2022-26485, is a use-after-free problem in the browser’s XSLT parameter processing. XSLT parameters are used for creating stylesheets that are used to determine the look and feel of a website.

“Removing an XSLT parameter during processing could have led to an exploitable use-after-free,” according to Mozilla’s advisory over the weekend.

The second bug, CVE-2022-26486, is a use-after-free issue in the WebGPU IPC Framework. WebGPU is a web API that supports multimedia on webpages by employing a machine’s Graphics Processing Unit (GPU). It’s used to support gaming, video conferencing and 3D modeling, among other things.

“An unexpected message in

Read More: https://threatpost.com/firefox-zero-day-bugs-rce-sandbox-escape/178779/