Mozilla has released out-of-band software upgrades for its Firefox web browser to address two high-impact security flaws, both of which are being actively exploited in the wild.
The zero-day bugs, tracked as CVE-2022-26485 and CVE-2022-26486, are described as use-after-free issues that affect the Extensible Stylesheet Language Transformations (XSLT) parameter processing and the WebGPU inter-process communication (IPC) Framework.
WebGPU is a emerging web standard that has been billed as a successor to the current WebGL JavaScript graphics library. XSLT is an XML-based language used to convert XML documents into web pages or PDF documents.
Use-after-free flaws, which can be misused to corrupt valid data and execute arbitrary code on infected systems, are caused by a “confusion over which part of the program is responsible for freeing the memory.”
Mozilla stated that “We have had reports of attacks in the wild” weaponizing the two flaws, but it did not provide any technical details about the incursions or the identities of the malicious actors exploiting them.
Qihoo 360 ATA security researchers Wang Gang, Liu Jialei, Du Sihang, Huang Yi, and Yang Kang are credited for discovering and reporting the flaws.
Since the security flaws are being actively exploited, users should upgrade to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0, and Thunderbird 91.6.2 as soon as possible.