Vulnerability-Lookup

CVE-2022-26485 (GCVE-0-2022-26485)

Vulnerability from cvelistv5 – Published: 2022-12-22 00:00 – Updated: 2025-10-21 23:15

CISA KEV

Summary

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

Use-after-free in XSLT parameter processing

Assigner

mozilla

References

2 references

URL	Tags
https://www.mozilla.org/security/advisories/mfsa2…
https://bugzilla.mozilla.org/show_bug.cgi?id=1758062

Impacted products

5 products

Vendor	Product	Version
Mozilla	Firefox	Affected: unspecified , < 97.0.2 (custom)
Mozilla	Firefox ESR	Affected: unspecified , < 91.6.1 (custom)
Mozilla	Firefox for Android	Affected: unspecified , < 97.3.0 (custom)
Mozilla	Thunderbird	Affected: unspecified , < 91.6.2 (custom)
Mozilla	Focus	Affected: unspecified , < 97.3.0 (custom)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: 5e8295a0-5b05-41bc-9fcc-0289f585190c

Vulnerability ID: CVE-2022-26485

Status: Confirmed

Status Updated: 2022-03-07 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2022-03-07

Asserted: 2022-03-07

Scope

Notes: KEV entry: Mozilla Firefox Use-After-Free Vulnerability | Affected: Mozilla / Firefox | Description: Mozilla Firefox contains a use-after-free vulnerability in XSLT parameter processing which can be exploited to perform arbitrary code execution. | Required action: Apply updates per vendor instructions. | Due date: 2022-03-21 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://nvd.nist.gov/vuln/detail/CVE-2022-26485

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes	CWE-416
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	Firefox
Due Date	2022-03-21
Date Added	2022-03-07
Vendorproject	Mozilla
Vulnerabilityname	Mozilla Firefox Use-After-Free Vulnerability
Knownransomwarecampaignuse	Unknown

References

CVE-2022-26485

Created: 2026-02-02 12:28 UTC | Updated: 2026-02-06 07:17 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:03:32.985Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758062"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-26485",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-28T21:32:55.676135Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-03-07",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26485"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:15:29.432Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26485"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-03-07T00:00:00.000Z",
            "value": "CVE-2022-26485 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "97.0.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "91.6.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Firefox for Android",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "97.3.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "91.6.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Focus",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "97.3.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Use-after-free in XSLT parameter processing",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-22T00:00:00.000Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
        },
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758062"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2022-26485",
    "datePublished": "2022-12-22T00:00:00.000Z",
    "dateReserved": "2022-03-04T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:15:29.432Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2022-26485",
      "cwes": "[\"CWE-416\"]",
      "dateAdded": "2022-03-07",
      "dueDate": "2022-03-21",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://nvd.nist.gov/vuln/detail/CVE-2022-26485",
      "product": "Firefox",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Mozilla Firefox contains a use-after-free vulnerability in XSLT parameter processing which can be exploited to perform arbitrary code execution.",
      "vendorProject": "Mozilla",
      "vulnerabilityName": "Mozilla Firefox Use-After-Free Vulnerability"
    },
    "epss": {
      "cve": "CVE-2022-26485",
      "date": "2026-05-24",
      "epss": "0.07372",
      "percentile": "0.9181"
    },
    "fkie_nvd": {
      "cisaActionDue": "2022-03-21",
      "cisaExploitAdd": "2022-03-07",
      "cisaRequiredAction": "Apply updates per vendor instructions.",
      "cisaVulnerabilityName": "Mozilla Firefox Use-After-Free Vulnerability",
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"97.0.2\", \"matchCriteriaId\": \"9D8E2245-D602-42F5-AA80-B3CFA666E595\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*\", \"versionEndExcluding\": \"97.3.0\", \"matchCriteriaId\": \"CDD84821-8FA2-483B-995B-5C1F571D4247\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"91.6.1\", \"matchCriteriaId\": \"4AE9257B-B169-42AF-82C6-EF62FDFE2110\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"97.3.0\", \"matchCriteriaId\": \"3F1EC4DF-B869-4BEB-BB9D-C629F82A9941\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"91.6.2\", \"matchCriteriaId\": \"FA3A4431-52FE-4BEE-A847-B500211A79AD\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.\"}, {\"lang\": \"es\", \"value\": \"La eliminaci\\u00f3n de un par\\u00e1metro XSLT durante el procesamiento podr\\u00eda haber dado lugar a un use-after-free explotable. Hemos recibido informes de ataques en la naturaleza que abusan de esta falla. Esta vulnerabilidad afecta a Firefox \u0026lt; 97.0.2, Firefox ESR \u0026lt; 91.6.1, Firefox para Android \u0026lt; 97.3.0, Thunderbird \u0026lt; 91.6.2 y Focus \u0026lt; 97.3.0.\"}]",
      "id": "CVE-2022-26485",
      "lastModified": "2024-11-21T06:54:02.350",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
      "published": "2022-12-22T20:15:22.563",
      "references": "[{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1758062\", \"source\": \"security@mozilla.org\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2022-09/\", \"source\": \"security@mozilla.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1758062\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2022-09/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@mozilla.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-416\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-26485\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2022-12-22T20:15:22.563\",\"lastModified\":\"2025-11-04T14:35:17.667\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.\"},{\"lang\":\"es\",\"value\":\"La eliminaci\u00f3n de un par\u00e1metro XSLT durante el procesamiento podr\u00eda haber dado lugar a un use-after-free explotable. Hemos recibido informes de ataques en la naturaleza que abusan de esta falla. Esta vulnerabilidad afecta a Firefox \u0026lt; 97.0.2, Firefox ESR \u0026lt; 91.6.1, Firefox para Android \u0026lt; 97.3.0, Thunderbird \u0026lt; 91.6.2 y Focus \u0026lt; 97.3.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"cisaExploitAdd\":\"2022-03-07\",\"cisaActionDue\":\"2022-03-21\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Mozilla Firefox Use-After-Free Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*\",\"versionEndExcluding\":\"91.6.1\",\"matchCriteriaId\":\"43351EFE-E64C-4ACD-A779-CBADE52E35B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*\",\"versionEndExcluding\":\"97.0.2\",\"matchCriteriaId\":\"E34F39EA-3536-47AE-948A-A1BE4FEBAA52\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*\",\"versionEndExcluding\":\"97.3.0\",\"matchCriteriaId\":\"CDD84821-8FA2-483B-995B-5C1F571D4247\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"97.3.0\",\"matchCriteriaId\":\"3F1EC4DF-B869-4BEB-BB9D-C629F82A9941\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"91.6.2\",\"matchCriteriaId\":\"FA3A4431-52FE-4BEE-A847-B500211A79AD\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1758062\",\"source\":\"security@mozilla.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2022-09/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1758062\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2022-09/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26485\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.mozilla.org/security/advisories/mfsa2022-09/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1758062\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T05:03:32.985Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-26485\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-28T21:32:55.676135Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-03-07\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26485\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2022-03-07T00:00:00.000Z\", \"value\": \"CVE-2022-26485 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26485\", \"tags\": [\"government-resource\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-28T21:32:28.142Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"Mozilla\", \"product\": \"Firefox\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"97.0.2\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Firefox ESR\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"91.6.1\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Firefox for Android\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"97.3.0\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Thunderbird\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"91.6.2\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Focus\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"97.3.0\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://www.mozilla.org/security/advisories/mfsa2022-09/\"}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1758062\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Use-after-free in XSLT parameter processing\"}]}], \"providerMetadata\": {\"orgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"shortName\": \"mozilla\", \"dateUpdated\": \"2022-12-22T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-26485\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:15:29.432Z\", \"dateReserved\": \"2022-03-04T00:00:00.000Z\", \"assignerOrgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"datePublished\": \"2022-12-22T00:00:00.000Z\", \"assignerShortName\": \"mozilla\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2022-AVI-210

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Mozilla. Elles permettent à un attaquant de provoquer une exécution de code arbitraire et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Mozilla	Thunderbird	Thunderbird versions antérieures à 91.6.2
Mozilla	Firefox	Firefox pour Android versions antérieures à 97.3
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 91.6.1
Mozilla	N/A	Focus versions antérieures à 97.3
Mozilla	Firefox	Firefox versions antérieures à 97.0.2

References

Title

Publication Time

CERTFR-2022-AVI-210

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Mozilla	Thunderbird	Thunderbird versions antérieures à 91.6.2
Mozilla	Firefox	Firefox pour Android versions antérieures à 97.3
Mozilla	Firefox ESR	Firefox ESR versions antérieures à 91.6.1
Mozilla	N/A	Focus versions antérieures à 97.3
Mozilla	Firefox	Firefox versions antérieures à 97.0.2

References

Title

Publication Time

alsa-2022:0818

Vulnerability from osv_almalinux

Published

2022-03-10 14:36

Modified

2022-03-10 21:25

Summary

Critical: firefox security update

Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 91.7.0 ESR.

Security Fix(es):

Mozilla: Use-after-free in XSLT parameter processing (CVE-2022-26485)
Mozilla: Use-after-free in WebGPU IPC Framework (CVE-2022-26486)
expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235)
expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution (CVE-2022-25236)
expat: Integer overflow in storeRawNames() (CVE-2022-25315)
Mozilla: Use-after-free in text reflows (CVE-2022-26381)
Mozilla: Browser window spoof using fullscreen mode (CVE-2022-26383)
Mozilla: iframe allow-scripts sandbox bypass (CVE-2022-26384)
Mozilla: Time-of-check time-of-use bug when verifying add-on signatures (CVE-2022-26387)
Mozilla: Temporary files downloaded to /tmp and accessible by other local users (CVE-2022-26386)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://vulners.com/cve/CVE-2022-25235	REPORT
	https://vulners.com/cve/CVE-2022-25236	REPORT
	https://vulners.com/cve/CVE-2022-25315	REPORT
	https://vulners.com/cve/CVE-2022-26381	REPORT
	https://vulners.com/cve/CVE-2022-26383	REPORT
	https://vulners.com/cve/CVE-2022-26384	REPORT
	https://vulners.com/cve/CVE-2022-26386	REPORT
	https://vulners.com/cve/CVE-2022-26387	REPORT
	https://vulners.com/cve/CVE-2022-26485	REPORT
	https://vulners.com/cve/CVE-2022-26486	REPORT

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "firefox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "91.7.0-3.el8_5.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 91.7.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Use-after-free in XSLT parameter processing (CVE-2022-26485)\n\n* Mozilla: Use-after-free in WebGPU IPC Framework (CVE-2022-26486)\n\n* expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235)\n\n* expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution (CVE-2022-25236)\n\n* expat: Integer overflow in storeRawNames() (CVE-2022-25315)\n\n* Mozilla: Use-after-free in text reflows (CVE-2022-26381)\n\n* Mozilla: Browser window spoof using fullscreen mode (CVE-2022-26383)\n\n* Mozilla: iframe allow-scripts sandbox bypass (CVE-2022-26384)\n\n* Mozilla: Time-of-check time-of-use bug when verifying add-on signatures (CVE-2022-26387)\n\n* Mozilla: Temporary files downloaded to /tmp and accessible by other local users (CVE-2022-26386)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2022:0818",
  "modified": "2022-03-10T21:25:28Z",
  "published": "2022-03-10T14:36:51Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-25235"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-25236"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-25315"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-26381"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-26383"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-26384"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-26386"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-26387"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-26485"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-26486"
    }
  ],
  "related": [
    "CVE-2022-26485",
    "CVE-2022-26486",
    "CVE-2022-25235",
    "CVE-2022-25236",
    "CVE-2022-25315",
    "CVE-2022-26381",
    "CVE-2022-26383",
    "CVE-2022-26384",
    "CVE-2022-26387",
    "CVE-2022-26386"
  ],
  "summary": "Critical: firefox security update"
}

alsa-2022:0845

Vulnerability from osv_almalinux

Published

2022-03-14 09:49

Modified

2022-03-15 08:56

Summary

Important: thunderbird security update

Details

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 91.7.0.

Security Fix(es):

Mozilla: Use-after-free in XSLT parameter processing (CVE-2022-26485)
Mozilla: Use-after-free in WebGPU IPC Framework (CVE-2022-26486)
expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235)
expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution (CVE-2022-25236)
expat: Integer overflow in storeRawNames() (CVE-2022-25315)
Mozilla: Use-after-free in text reflows (CVE-2022-26381)
Mozilla: Browser window spoof using fullscreen mode (CVE-2022-26383)
Mozilla: iframe allow-scripts sandbox bypass (CVE-2022-26384)
Mozilla: Time-of-check time-of-use bug when verifying add-on signatures (CVE-2022-26387)
thunderbird: Crafted email could trigger an out-of-bounds write (CVE-2022-0566)
Mozilla: Temporary files downloaded to /tmp and accessible by other local users (CVE-2022-26386)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://vulners.com/cve/CVE-2022-0566	REPORT
	https://vulners.com/cve/CVE-2022-25235	REPORT
	https://vulners.com/cve/CVE-2022-25236	REPORT
	https://vulners.com/cve/CVE-2022-25315	REPORT
	https://vulners.com/cve/CVE-2022-26381	REPORT
	https://vulners.com/cve/CVE-2022-26383	REPORT
	https://vulners.com/cve/CVE-2022-26384	REPORT
	https://vulners.com/cve/CVE-2022-26386	REPORT
	https://vulners.com/cve/CVE-2022-26387	REPORT
	https://vulners.com/cve/CVE-2022-26485	REPORT
	https://vulners.com/cve/CVE-2022-26486	REPORT

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "91.7.0-2.el8_5.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "thunderbird"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "91.7.0-2.el8_5.alma.plus"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 91.7.0.\n\nSecurity Fix(es):\n\n* Mozilla: Use-after-free in XSLT parameter processing (CVE-2022-26485)\n\n* Mozilla: Use-after-free in WebGPU IPC Framework (CVE-2022-26486)\n\n* expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235)\n\n* expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution (CVE-2022-25236)\n\n* expat: Integer overflow in storeRawNames() (CVE-2022-25315)\n\n* Mozilla: Use-after-free in text reflows (CVE-2022-26381)\n\n* Mozilla: Browser window spoof using fullscreen mode (CVE-2022-26383)\n\n* Mozilla: iframe allow-scripts sandbox bypass (CVE-2022-26384)\n\n* Mozilla: Time-of-check time-of-use bug when verifying add-on signatures (CVE-2022-26387)\n\n* thunderbird: Crafted email could trigger an out-of-bounds write (CVE-2022-0566)\n\n* Mozilla: Temporary files downloaded to /tmp and accessible by other local users (CVE-2022-26386)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2022:0845",
  "modified": "2022-03-15T08:56:50Z",
  "published": "2022-03-14T09:49:10Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-0566"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-25235"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-25236"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-25315"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-26381"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-26383"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-26384"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-26386"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-26387"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-26485"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2022-26486"
    }
  ],
  "related": [
    "CVE-2022-26485",
    "CVE-2022-26486",
    "CVE-2022-25235",
    "CVE-2022-25236",
    "CVE-2022-25315",
    "CVE-2022-26381",
    "CVE-2022-26383",
    "CVE-2022-26384",
    "CVE-2022-26387",
    "CVE-2022-0566",
    "CVE-2022-26386"
  ],
  "summary": "Important: thunderbird security update"
}

BDU:2022-01146

Vulnerability from fstec - Published: 05.03.2022

Title

Уязвимость параметра XSLT браузеров Mozilla Firefox и Focus, позволяющая нарушителю выполнить произвольный код

Description

Уязвимость параметра XSLT браузеров Mozilla Firefox и Focus связана с использованием памяти после ее освобождения. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код

Severity ?


                    
                      AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Vendor

ООО «Ред Софт», ФССП России, Mozilla Corp., АО «ИВК», АО "НППКТ", АО «Концерн ВНИИНС»

Software Name

РЕД ОС (запись в едином реестре российских программ №3751), ОС ТД АИС ФССП России, Firefox, Firefox ESR, Focus, Альт 8 СП (запись в едином реестре российских программ №4305), ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), ОС ОН «Стрелец» (запись в едином реестре российских программ №6177)

Software Version

7.3 (РЕД ОС), ИК6 (ОС ТД АИС ФССП России), до 97.0.2 (Firefox), до 91.6.1 (Firefox ESR), до 97.3 (Firefox), до 97.3 (Focus), - (Альт 8 СП), до 2.4.3 (ОСОН ОСнова Оnyx), до 16.01.2023 (ОС ОН «Стрелец»)

Possible Mitigations

1. Использование рекомендаций производителя: https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/ 2. Доступ только к доверенным Интернет-ресурсам 3. Использование межсетевого экрана 4. Запуск браузера от имени пользователя с минимальными привилегиями Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/ Для ОС ТД АИС ФССП России: https://goslinux.fssp.gov.ru/2726972/ Для ОС Альт 8 СП: Обновление программного обеспечения до актуальной версии Для ОСОН Основа: Обновление программного обеспечения firefox-esr до версии 91.7.0esr+repack-1~deb10u1.osnova1 Для ОСОН Основа: Обновление программного обеспечения thunderbird до версии 1:91.7.0+repack-2~deb10u1.osnova1 Для ОС ОН «Стрелец»: Обновление программного обеспечения firefox-esr до версии 91.13.0esr+repack-1~deb10u1.osnova1.strelets Обновление программного обеспечения thunderbird до версии 1:91.13.0+repack-1~deb10u1.osnova1.strelets

Reference

http://repo.red-soft.ru/redos/7.3c/x86_64/updates/ https://altsp.su/obnovleniya-bezopasnosti/ https://goslinux.fssp.gov.ru/2726972/ https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/ https://www.opennet.ru/opennews/art.shtml?num=56808 https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.4.3/ https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.4.3/ https://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023 https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.5/ https://bugzilla.mozilla.org/show_bug.cgi?id=1758062

CWE

CWE-416

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438, Mozilla Corp., \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), \u0418\u041a6 (\u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438), \u0434\u043e 97.0.2 (Firefox), \u0434\u043e 91.6.1 (Firefox ESR), \u0434\u043e 97.3 (Firefox), \u0434\u043e 97.3 (Focus), - (\u0410\u043b\u044c\u0442 8 \u0421\u041f), \u0434\u043e 2.4.3 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), \u0434\u043e 16.01.2023 (\u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "1. \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/\n2. \u0414\u043e\u0441\u0442\u0443\u043f \u0442\u043e\u043b\u044c\u043a\u043e \u043a \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u043c \u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442-\u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\n3. \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u044d\u043a\u0440\u0430\u043d\u0430\n4. \u0417\u0430\u043f\u0443\u0441\u043a \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430 \u043e\u0442 \u0438\u043c\u0435\u043d\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0441 \u043c\u0438\u043d\u0438\u043c\u0430\u043b\u044c\u043d\u044b\u043c\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u044f\u043c\u0438\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421:\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f \u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438:\nhttps://goslinux.fssp.gov.ru/2726972/\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043e \u0430\u043a\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0441\u043d\u043e\u0432\u0430:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f firefox-esr \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 91.7.0esr+repack-1~deb10u1.osnova1\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0441\u043d\u043e\u0432\u0430:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f thunderbird \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1:91.7.0+repack-2~deb10u1.osnova1\n\n\u0414\u043b\u044f \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f firefox-esr \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 91.13.0esr+repack-1~deb10u1.osnova1.strelets\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f thunderbird \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1:91.13.0+repack-1~deb10u1.osnova1.strelets\n\n",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "05.03.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "13.09.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "05.03.2022",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-01146",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-26485",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438, Firefox, Firefox ESR, Focus, \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438 \u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438 \u0418\u041a6 , \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb \u0434\u043e 16.01.2023  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 XSLT \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u0432 Mozilla Firefox \u0438 Focus, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043f\u043e\u0441\u043b\u0435 \u043e\u0441\u0432\u043e\u0431\u043e\u0436\u0434\u0435\u043d\u0438\u044f (CWE-416)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 XSLT \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u0432 Mozilla Firefox \u0438 Focus \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043f\u0430\u043c\u044f\u0442\u0438 \u043f\u043e\u0441\u043b\u0435 \u0435\u0435 \u043e\u0441\u0432\u043e\u0431\u043e\u0436\u0434\u0435\u043d\u0438\u044f. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "http://repo.red-soft.ru/redos/7.3c/x86_64/updates/\nhttps://altsp.su/obnovleniya-bezopasnosti/\nhttps://goslinux.fssp.gov.ru/2726972/\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-09/\nhttps://www.opennet.ru/opennews/art.shtml?num=56808\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.4.3/\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.4.3/\nhttps://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.5/\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1758062",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-416",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,6)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}

CNVD-2023-55356

Vulnerability from cnvd - Published: 2023-07-11

Title

Mozilla Firefox资源管理错误漏洞（CNVD-2023-55356）

Description

Mozilla Firefox是美国Mozilla基金会的一款开源Web浏览器。 Mozilla Firefox存在资源管理错误漏洞，该漏洞源于处理XSLT参数时出现“释放后使用”错误。攻击者可利用该漏洞诱骗受害者打开精心构建的网页，在系统上执行任意代码。

Severity

高

Patch Name

Mozilla Firefox资源管理错误漏洞（CNVD-2023-55356）的补丁

Patch Description

Mozilla Firefox是美国Mozilla基金会的一款开源Web浏览器。 Mozilla Firefox存在资源管理错误漏洞，该漏洞源于处理XSLT参数时出现“释放后使用”错误。攻击者可利用该漏洞诱骗受害者打开精心构建的网页，在系统上执行任意代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： http://www.mozilla.org/en-US/security/advisories/mfsa2022-09/

Reference

https://www.cybersecurity-help.cz/vdb/SB2022030501

Impacted products

Name
['Mozilla Firefox <97.0.2', 'Mozilla Firefox ESR <91.6.1', 'Mozilla firefox focus <97.3.0', 'Mozilla Thunderbird <91.6.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-26485"
    }
  },
  "description": "Mozilla Firefox\u662f\u7f8e\u56fdMozilla\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5f00\u6e90Web\u6d4f\u89c8\u5668\u3002\n\nMozilla Firefox\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5904\u7406XSLT\u53c2\u6570\u65f6\u51fa\u73b0\u201c\u91ca\u653e\u540e\u4f7f\u7528\u201d\u9519\u8bef\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bf1\u9a97\u53d7\u5bb3\u8005\u6253\u5f00\u7cbe\u5fc3\u6784\u5efa\u7684\u7f51\u9875\uff0c\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttp://www.mozilla.org/en-US/security/advisories/mfsa2022-09/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-55356",
  "openTime": "2023-07-11",
  "patchDescription": "Mozilla Firefox\u662f\u7f8e\u56fdMozilla\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5f00\u6e90Web\u6d4f\u89c8\u5668\u3002\r\n\r\nMozilla Firefox\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5904\u7406XSLT\u53c2\u6570\u65f6\u51fa\u73b0\u201c\u91ca\u653e\u540e\u4f7f\u7528\u201d\u9519\u8bef\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bf1\u9a97\u53d7\u5bb3\u8005\u6253\u5f00\u7cbe\u5fc3\u6784\u5efa\u7684\u7f51\u9875\uff0c\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002 \u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Mozilla Firefox\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2023-55356\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Mozilla Firefox \u003c97.0.2",
      "Mozilla Firefox ESR \u003c91.6.1",
      "Mozilla firefox focus \u003c97.3.0",
      "Mozilla Thunderbird \u003c91.6.2"
    ]
  },
  "referenceLink": "https://www.cybersecurity-help.cz/vdb/SB2022030501",
  "serverity": "\u9ad8",
  "submitTime": "2022-03-08",
  "title": "Mozilla Firefox\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2023-55356\uff09"
}

FKIE_CVE-2022-26485

Vulnerability from fkie_nvd - Published: 2022-12-22 20:15 - Updated: 2025-11-04 14:35

CISA KEV

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security@mozilla.org	https://bugzilla.mozilla.org/show_bug.cgi?id=1758062	Exploit, Issue Tracking, Vendor Advisory
security@mozilla.org	https://www.mozilla.org/security/advisories/mfsa2022-09/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.mozilla.org/show_bug.cgi?id=1758062	Exploit, Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.mozilla.org/security/advisories/mfsa2022-09/	Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26485	US Government Resource

Impacted products

Vendor	Product	Version
mozilla	firefox	*
mozilla	firefox	*
mozilla	firefox	*
mozilla	firefox_focus	*
mozilla	thunderbird	*

JSON

To clipboard

{
  "cisaActionDue": "2022-03-21",
  "cisaExploitAdd": "2022-03-07",
  "cisaRequiredAction": "Apply updates per vendor instructions.",
  "cisaVulnerabilityName": "Mozilla Firefox Use-After-Free Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*",
              "matchCriteriaId": "43351EFE-E64C-4ACD-A779-CBADE52E35B3",
              "versionEndExcluding": "91.6.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "E34F39EA-3536-47AE-948A-A1BE4FEBAA52",
              "versionEndExcluding": "97.0.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*",
              "matchCriteriaId": "CDD84821-8FA2-483B-995B-5C1F571D4247",
              "versionEndExcluding": "97.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3F1EC4DF-B869-4BEB-BB9D-C629F82A9941",
              "versionEndExcluding": "97.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA3A4431-52FE-4BEE-A847-B500211A79AD",
              "versionEndExcluding": "91.6.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0."
    },
    {
      "lang": "es",
      "value": "La eliminaci\u00f3n de un par\u00e1metro XSLT durante el procesamiento podr\u00eda haber dado lugar a un use-after-free explotable. Hemos recibido informes de ataques en la naturaleza que abusan de esta falla. Esta vulnerabilidad afecta a Firefox \u0026lt; 97.0.2, Firefox ESR \u0026lt; 91.6.1, Firefox para Android \u0026lt; 97.3.0, Thunderbird \u0026lt; 91.6.2 y Focus \u0026lt; 97.3.0."
    }
  ],
  "id": "CVE-2022-26485",
  "lastModified": "2025-11-04T14:35:17.667",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2022-12-22T20:15:22.563",
  "references": [
    {
      "source": "security@mozilla.org",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758062"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758062"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26485"
    }
  ],
  "sourceIdentifier": "security@mozilla.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GHSA-RJ77-M66J-H24W

Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-10-22 00:32

Details

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-26485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-22T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.",
  "id": "GHSA-rj77-m66j-h24w",
  "modified": "2025-10-22T00:32:37Z",
  "published": "2022-12-22T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26485"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758062"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26485"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-09"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2022-26485

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-26485

Aliases

CVE-2022-26485

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-26485",
    "id": "GSD-2022-26485"
  },
  "gsd": {
    "affected": [
      {
        "package": {
          "ecosystem": "Mozilla",
          "name": "Firefox"
        },
        "ranges": [
          {
            "events": [
              {
                "fixed": "97.0.2"
              },
              {
                "introduced": "0"
              }
            ],
            "type": "SEMVER"
          }
        ],
        "version": []
      },
      {
        "package": {
          "ecosystem": "Mozilla",
          "name": "Firefox for Android"
        },
        "ranges": [
          {
            "events": [
              {
                "fixed": "97.3.0"
              },
              {
                "introduced": "0"
              }
            ],
            "type": "SEMVER"
          }
        ],
        "version": []
      },
      {
        "package": {
          "ecosystem": "Mozilla",
          "name": "Focus"
        },
        "ranges": [
          {
            "events": [
              {
                "fixed": "97.3.0"
              },
              {
                "introduced": "0"
              }
            ],
            "type": "SEMVER"
          }
        ],
        "version": []
      },
      {
        "package": {
          "ecosystem": "Mozilla",
          "name": "Firefox ESR"
        },
        "ranges": [
          {
            "events": [
              {
                "fixed": "91.6.1"
              },
              {
                "introduced": "0"
              }
            ],
            "type": "SEMVER"
          }
        ],
        "version": []
      },
      {
        "package": {
          "ecosystem": "Mozilla",
          "name": "Thunderbird"
        },
        "ranges": [
          {
            "events": [
              {
                "fixed": "91.6.2"
              },
              {
                "introduced": "0"
              }
            ],
            "type": "SEMVER"
          }
        ],
        "version": []
      }
    ],
    "alias": [
      "CVE-2022-26485"
    ],
    "database_specific": {
      "GSD": {
        "alias": "CVE-2022-26485",
        "id": "GSD-2022-26485",
        "references": [
          "https://www.suse.com/security/cve/CVE-2022-26485.html",
          "https://www.debian.org/security/2022/dsa-5090",
          "https://www.debian.org/security/2022/dsa-5094",
          "https://access.redhat.com/errata/RHSA-2022:0824",
          "https://access.redhat.com/errata/RHSA-2022:0818",
          "https://access.redhat.com/errata/RHSA-2022:0817",
          "https://access.redhat.com/errata/RHSA-2022:0816",
          "https://access.redhat.com/errata/RHSA-2022:0815",
          "https://ubuntu.com/security/CVE-2022-26485",
          "https://advisories.mageia.org/CVE-2022-26485.html",
          "https://linux.oracle.com/cve/CVE-2022-26485.html",
          "https://access.redhat.com/errata/RHSA-2022:0843",
          "https://access.redhat.com/errata/RHSA-2022:0845",
          "https://access.redhat.com/errata/RHSA-2022:0847",
          "https://access.redhat.com/errata/RHSA-2022:0850",
          "https://access.redhat.com/errata/RHSA-2022:0853"
        ]
      }
    },
    "details": "Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox for Android \u003c 97.3.0, Focus \u003c 97.3.0, Firefox ESR \u003c 91.6.1, and Thunderbird \u003c 91.6.2.",
    "id": "GSD-2022-26485",
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "modified": "2022-09-27T16:35:17.088544Z",
    "osvSchema": {
      "aliases": [
        "CVE-2022-26485"
      ],
      "details": "Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.",
      "id": "GSD-2022-26485",
      "modified": "2023-12-13T01:19:39.475150Z",
      "schema_version": "1.4.0"
    },
    "references": [
      {
        "type": "ADVISORY",
        "url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
      },
      {
        "type": "ADVISORY",
        "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758062"
      },
      {
        "type": "ADVISORY",
        "url": "https://www.suse.com/security/cve/CVE-2022-26485.html"
      },
      {
        "type": "ADVISORY",
        "url": "https://www.debian.org/security/2022/dsa-5090"
      },
      {
        "type": "ADVISORY",
        "url": "https://www.debian.org/security/2022/dsa-5094"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:0824"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:0818"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:0817"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:0816"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:0815"
      },
      {
        "type": "ADVISORY",
        "url": "https://ubuntu.com/security/CVE-2022-26485"
      },
      {
        "type": "ADVISORY",
        "url": "https://advisories.mageia.org/CVE-2022-26485.html"
      },
      {
        "type": "ADVISORY",
        "url": "https://linux.oracle.com/cve/CVE-2022-26485.html"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:0843"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:0845"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:0847"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:0850"
      },
      {
        "type": "ADVISORY",
        "url": "https://access.redhat.com/errata/RHSA-2022:0853"
      }
    ],
    "schema_version": "1.3.0",
    "summary": "Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox for Android \u003c 97.3.0, Focus \u003c 97.3.0, Firefox ESR \u003c 91.6.1, and Thunderbird \u003c 91.6.2."
  },
  "namespaces": {
    "cisa.gov": {
      "cveID": "CVE-2022-26485",
      "dateAdded": "2022-03-07",
      "dueDate": "2022-03-21",
      "product": "Firefox",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "Mozilla Firefox contains a use-after-free vulnerability in XSLT parameter processing which can be exploited to perform arbitrary code execution.",
      "vendorProject": "Mozilla",
      "vulnerabilityName": "Mozilla Firefox Use-After-Free Vulnerability"
    },
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@mozilla.org",
        "ID": "CVE-2022-26485",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Firefox",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "97.0.2"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Firefox ESR",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "91.6.1"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Firefox for Android",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "97.3.0"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Thunderbird",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "91.6.2"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Focus",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "97.3.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Mozilla"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Use-after-free in XSLT parameter processing"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.mozilla.org/security/advisories/mfsa2022-09/",
            "refsource": "MISC",
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
          },
          {
            "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758062",
            "refsource": "MISC",
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758062"
          }
        ]
      }
    },
    "mozilla.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@mozilla.org",
        "ID": "CVE-2022-26485"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Firefox",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "97.0.2"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Firefox for Android",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "97.3.0"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Focus",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "97.3.0"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Firefox ESR",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "91.6.1"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Thunderbird",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "91.6.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Mozilla"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox for Android \u003c 97.3.0, Focus \u003c 97.3.0, Firefox ESR \u003c 91.6.1, and Thunderbird \u003c 91.6.2."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Use-after-free in XSLT parameter processing"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
          },
          {
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758062"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "97.3.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "97.0.2",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "91.6.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*",
                "cpe_name": [],
                "versionEndExcluding": "97.3.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "91.6.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2022-26485"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-416"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758062",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Issue Tracking",
                "Vendor Advisory"
              ],
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758062"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2022-09/",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-12-30T16:22Z",
      "publishedDate": "2022-12-22T20:15Z"
    }
  }
}

OPENSUSE-SU-2022:0783-1

Vulnerability from csaf_opensuse - Published: 2022-03-09 14:16 - Updated: 2022-03-09 14:16

Summary

Security update for MozillaFirefox

Severity

Important

Notes

Title of the patch: Security update for MozillaFirefox

Description of the patch: This update for MozillaFirefox fixes the following issues: Firefox Extended Support Release 91.6.1 ESR (bsc#1196809): - CVE-2022-26485: Use-after-free in XSLT parameter processing - CVE-2022-26486: Use-after-free in WebGPU IPC Framework

Patchnames: openSUSE-SLE-15.3-2022-783,openSUSE-SLE-15.4-2022-783

CVE-2022-26485

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 20 products

Product	Version	Remediation
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2022-26486

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 20 products

Product	Version	Remediation
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64	—	Vendor Fix

Threats

Impact important

References

11 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://bugzilla.suse.com/1196809	self
https://www.suse.com/security/cve/CVE-2022-26485/	self
https://www.suse.com/security/cve/CVE-2022-26486/	self
https://www.suse.com/security/cve/CVE-2022-26485	external
https://bugzilla.suse.com/1196809	external
https://www.suse.com/security/cve/CVE-2022-26486	external
https://bugzilla.suse.com/1196809	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for MozillaFirefox",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for MozillaFirefox fixes the following issues:\n\nFirefox Extended Support Release 91.6.1 ESR (bsc#1196809):\n\n- CVE-2022-26485: Use-after-free in XSLT parameter processing\n- CVE-2022-26486: Use-after-free in WebGPU IPC Framework\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-SLE-15.3-2022-783,openSUSE-SLE-15.4-2022-783",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0783-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2022:0783-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IZLR36GLK5UWW34Z6YUDXKWIHXMQEYSY/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2022:0783-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IZLR36GLK5UWW34Z6YUDXKWIHXMQEYSY/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1196809",
        "url": "https://bugzilla.suse.com/1196809"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-26485 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-26485/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-26486 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-26486/"
      }
    ],
    "title": "Security update for MozillaFirefox",
    "tracking": {
      "current_release_date": "2022-03-09T14:16:49Z",
      "generator": {
        "date": "2022-03-09T14:16:49Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2022:0783-1",
      "initial_release_date": "2022-03-09T14:16:49Z",
      "revision_history": [
        {
          "date": "2022-03-09T14:16:49Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "MozillaFirefox-91.6.1-152.19.1.aarch64",
                "product": {
                  "name": "MozillaFirefox-91.6.1-152.19.1.aarch64",
                  "product_id": "MozillaFirefox-91.6.1-152.19.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
                "product": {
                  "name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
                  "product_id": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
                "product": {
                  "name": "MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
                  "product_id": "MozillaFirefox-devel-91.6.1-152.19.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
                "product": {
                  "name": "MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
                  "product_id": "MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
                "product": {
                  "name": "MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
                  "product_id": "MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "MozillaFirefox-91.6.1-152.19.1.ppc64le",
                "product": {
                  "name": "MozillaFirefox-91.6.1-152.19.1.ppc64le",
                  "product_id": "MozillaFirefox-91.6.1-152.19.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
                "product": {
                  "name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
                  "product_id": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
                "product": {
                  "name": "MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
                  "product_id": "MozillaFirefox-devel-91.6.1-152.19.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
                "product": {
                  "name": "MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
                  "product_id": "MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
                "product": {
                  "name": "MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
                  "product_id": "MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "MozillaFirefox-91.6.1-152.19.1.s390x",
                "product": {
                  "name": "MozillaFirefox-91.6.1-152.19.1.s390x",
                  "product_id": "MozillaFirefox-91.6.1-152.19.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
                "product": {
                  "name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
                  "product_id": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-devel-91.6.1-152.19.1.s390x",
                "product": {
                  "name": "MozillaFirefox-devel-91.6.1-152.19.1.s390x",
                  "product_id": "MozillaFirefox-devel-91.6.1-152.19.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
                "product": {
                  "name": "MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
                  "product_id": "MozillaFirefox-translations-common-91.6.1-152.19.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
                "product": {
                  "name": "MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
                  "product_id": "MozillaFirefox-translations-other-91.6.1-152.19.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "MozillaFirefox-91.6.1-152.19.1.x86_64",
                "product": {
                  "name": "MozillaFirefox-91.6.1-152.19.1.x86_64",
                  "product_id": "MozillaFirefox-91.6.1-152.19.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
                "product": {
                  "name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
                  "product_id": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
                "product": {
                  "name": "MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
                  "product_id": "MozillaFirefox-devel-91.6.1-152.19.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
                "product": {
                  "name": "MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
                  "product_id": "MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64",
                "product": {
                  "name": "MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64",
                  "product_id": "MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.3",
                "product": {
                  "name": "openSUSE Leap 15.3",
                  "product_id": "openSUSE Leap 15.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-91.6.1-152.19.1.aarch64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64"
        },
        "product_reference": "MozillaFirefox-91.6.1-152.19.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-91.6.1-152.19.1.ppc64le as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le"
        },
        "product_reference": "MozillaFirefox-91.6.1-152.19.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-91.6.1-152.19.1.s390x as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x"
        },
        "product_reference": "MozillaFirefox-91.6.1-152.19.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-91.6.1-152.19.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64"
        },
        "product_reference": "MozillaFirefox-91.6.1-152.19.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64"
        },
        "product_reference": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le"
        },
        "product_reference": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x"
        },
        "product_reference": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64"
        },
        "product_reference": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-devel-91.6.1-152.19.1.aarch64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64"
        },
        "product_reference": "MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-devel-91.6.1-152.19.1.ppc64le as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le"
        },
        "product_reference": "MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-devel-91.6.1-152.19.1.s390x as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x"
        },
        "product_reference": "MozillaFirefox-devel-91.6.1-152.19.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-devel-91.6.1-152.19.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64"
        },
        "product_reference": "MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64"
        },
        "product_reference": "MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le"
        },
        "product_reference": "MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-translations-common-91.6.1-152.19.1.s390x as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x"
        },
        "product_reference": "MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64"
        },
        "product_reference": "MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64"
        },
        "product_reference": "MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le"
        },
        "product_reference": "MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-translations-other-91.6.1-152.19.1.s390x as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x"
        },
        "product_reference": "MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
        },
        "product_reference": "MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-26485",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-26485"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64",
          "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le",
          "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x",
          "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64",
          "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
          "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
          "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
          "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
          "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
          "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
          "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x",
          "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
          "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
          "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
          "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
          "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
          "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
          "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
          "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
          "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-26485",
          "url": "https://www.suse.com/security/cve/CVE-2022-26485"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196809 for CVE-2022-26485",
          "url": "https://bugzilla.suse.com/1196809"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-03-09T14:16:49Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-26485"
    },
    {
      "cve": "CVE-2022-26486",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-26486"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64",
          "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le",
          "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x",
          "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64",
          "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
          "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
          "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
          "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
          "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
          "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
          "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x",
          "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
          "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
          "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
          "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
          "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
          "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
          "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
          "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
          "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-26486",
          "url": "https://www.suse.com/security/cve/CVE-2022-26486"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1196809 for CVE-2022-26486",
          "url": "https://bugzilla.suse.com/1196809"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
            "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-03-09T14:16:49Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-26486"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-26485 (GCVE-0-2022-26485)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

Solution

Solution

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Tags

Sightings

Nomenclature