Issued: Wednesday, 9 March, 2022 |
Last Revision: Wednesday, 9 March, 2022 |
Vendor: |
Product: |
Severity Level: |
Earlier this week, Mozilla has released out of band security updates for its Firefox browser, addressing two critical vulnerabilities. Both vulnerabilities have been exploited by cybercriminals in the wild.
Both of the patched zero-days are "use-after-free" vulnerabilities, which could allow attackers to access memory that has already been released by a program. The term “use-after-free” (UAF) refers to a memory corruption bug caused by applications that attempt to use memory that has been freed or that is no longer assigned to them - after that memory has been assigned to another application that may potentially lead to crashes and data overwriting, or can enable remote code execution.
CVE/Vulnerability | Description | CVSS3.0 Score |
CVE-2022-26485 | Use-after-free vulnerability | n/a |
CVE-2022-26486 | Use-after-free vulnerability | n/a |
Table 1: Vulnerability details
CVE/Vulnerability | Affected Product(s) | Fixed Version(s) |
CVE-2022-26485 | Firefox, Firefox ESR, Firefox for Android, Focus, Thunderbird | Firefox 97.0.2 Firefox ESR 91.6.1 Firefox for Android 97.3 Focus 97.3 Thunderbird 91.6.2 |
CVE-2022-26486 | Firefox, Firefox ESR, Firefox for Android, Focus, Thunderbird | Firefox 97.0.2 Firefox ESR 91.6.1 Firefox for Android 97.3 Focus 97.3 Thunderbird 91.6.2 |
Table 2: Vulnerable versions
Organizations are strongly advised to install the latest security updates immediately.