CVE-2022-26486

CVSS 9.6 CRITICALEPSS 2.3%● KEVCWE-416

Vexday Risk Score

58Attention

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 9.6EPSS 2.3%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

07 Mar 2022Active exploitation (CISA KEV)

22 Dec 2022Published on NVD

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

A flaw in Firefox's graphics processing framework allows attackers to exploit freed memory, potentially breaking out of the browser's security sandbox. This critical vulnerability has been actively exploited in real-world attacks.

Technical detail

A malformed WebGPU IPC message triggers a use-after-free condition in the inter-process communication framework, allowing an attacker with local or network access to execute arbitrary code and escape the sandbox. The vulnerability affects multiple Firefox products without user interaction beyond visiting a malicious page.

Summary generated and translated by AI from the official description.

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected products

Mozilla · Firefox Mozilla · Firefox ESR Mozilla · Firefox for Android Mozilla · Focus Mozilla · Thunderbird

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1758070 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26486 https://www.mozilla.org/security/advisories/mfsa2022-09/