Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-26486 (GCVE-0-2022-26486)
Vulnerability from cvelistv5 – Published: 2022-12-22 00:00 – Updated: 2025-10-21 23:15
VLAI?
EPSS
CISA KEV
Summary
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.
Severity ?
9.6 (Critical)
CWE
- Use-after-free in WebGPU IPC Framework
Assigner
References
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 97.0.2
(custom)
|
|
| Mozilla | Firefox ESR |
Affected:
unspecified , < 91.6.1
(custom)
|
|
| Mozilla | Firefox for Android |
Affected:
unspecified , < 97.3.0
(custom)
|
|
| Mozilla | Thunderbird |
Affected:
unspecified , < 91.6.2
(custom)
|
|
| Mozilla | Focus |
Affected:
unspecified , < 97.3.0
(custom)
|
CISA KEV
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: c5376e9e-494b-4716-baca-0eb64d393066
Exploited: Yes
Timestamps
First Seen: 2022-03-07
Asserted: 2022-03-07
Scope
Notes: KEV entry: Mozilla Firefox Use-After-Free Vulnerability | Affected: Mozilla / Firefox | Description: Mozilla Firefox contains a use-after-free vulnerability in WebGPU IPC Framework which can be exploited to perform arbitrary code execution. | Required action: Apply updates per vendor instructions. | Due date: 2022-03-21 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://nvd.nist.gov/vuln/detail/CVE-2022-26486
Evidence
Type: Vendor Report
Signal: Successful Exploitation
Confidence: 80%
Source: cisa-kev
Details
| Cwes | CWE-416 |
|---|---|
| Feed | CISA Known Exploited Vulnerabilities Catalog |
| Product | Firefox |
| Due Date | 2022-03-21 |
| Date Added | 2022-03-07 |
| Vendorproject | Mozilla |
| Vulnerabilityname | Mozilla Firefox Use-After-Free Vulnerability |
| Knownransomwarecampaignuse | Unknown |
References
Created: 2026-02-02 12:28 UTC
| Updated: 2026-02-06 07:17 UTC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:03:32.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758070"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-26486",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T21:24:00.039216Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-03-07",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26486"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:15:29.274Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26486"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-03-07T00:00:00.000Z",
"value": "CVE-2022-26486 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "97.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "91.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox for Android",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "97.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "91.6.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Focus",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "97.3.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Use-after-free in WebGPU IPC Framework",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-22T00:00:00.000Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
},
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758070"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2022-26486",
"datePublished": "2022-12-22T00:00:00.000Z",
"dateReserved": "2022-03-04T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:15:29.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2022-26486",
"cwes": "[\"CWE-416\"]",
"dateAdded": "2022-03-07",
"dueDate": "2022-03-21",
"knownRansomwareCampaignUse": "Unknown",
"notes": "https://nvd.nist.gov/vuln/detail/CVE-2022-26486",
"product": "Firefox",
"requiredAction": "Apply updates per vendor instructions.",
"shortDescription": "Mozilla Firefox contains a use-after-free vulnerability in WebGPU IPC Framework which can be exploited to perform arbitrary code execution.",
"vendorProject": "Mozilla",
"vulnerabilityName": "Mozilla Firefox Use-After-Free Vulnerability"
},
"epss": {
"cve": "CVE-2022-26486",
"date": "2026-05-19",
"epss": "0.05458",
"percentile": "0.90279"
},
"fkie_nvd": {
"cisaActionDue": "2022-03-21",
"cisaExploitAdd": "2022-03-07",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Mozilla Firefox Use-After-Free Vulnerability",
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"97.0.2\", \"matchCriteriaId\": \"9D8E2245-D602-42F5-AA80-B3CFA666E595\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*\", \"versionEndExcluding\": \"97.3.0\", \"matchCriteriaId\": \"CDD84821-8FA2-483B-995B-5C1F571D4247\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"91.6.1\", \"matchCriteriaId\": \"4AE9257B-B169-42AF-82C6-EF62FDFE2110\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"97.3.0\", \"matchCriteriaId\": \"3F1EC4DF-B869-4BEB-BB9D-C629F82A9941\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"91.6.2\", \"matchCriteriaId\": \"FA3A4431-52FE-4BEE-A847-B500211A79AD\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.\"}, {\"lang\": \"es\", \"value\": \"Un mensaje inesperado en el framework IPC de WebGPU podr\\u00eda provocar un escape de la sandbox explotable y de use-after-free. Hemos recibido informes de ataques en la naturaleza que abusan de esta falla. Esta vulnerabilidad afecta a Firefox \u0026lt; 97.0.2, Firefox ESR \u0026lt; 91.6.1, Firefox para Android \u0026lt; 97.3.0, Thunderbird \u0026lt; 91.6.2 y Focus \u0026lt; 97.3.0.\"}]",
"id": "CVE-2022-26486",
"lastModified": "2024-11-21T06:54:02.457",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\", \"baseScore\": 9.6, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 6.0}]}",
"published": "2022-12-22T20:15:22.797",
"references": "[{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1758070\", \"source\": \"security@mozilla.org\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2022-09/\", \"source\": \"security@mozilla.org\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1758070\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2022-09/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "security@mozilla.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-416\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-26486\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2022-12-22T20:15:22.797\",\"lastModified\":\"2025-11-04T14:35:12.657\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.\"},{\"lang\":\"es\",\"value\":\"Un mensaje inesperado en el framework IPC de WebGPU podr\u00eda provocar un escape de la sandbox explotable y de use-after-free. Hemos recibido informes de ataques en la naturaleza que abusan de esta falla. Esta vulnerabilidad afecta a Firefox \u0026lt; 97.0.2, Firefox ESR \u0026lt; 91.6.1, Firefox para Android \u0026lt; 97.3.0, Thunderbird \u0026lt; 91.6.2 y Focus \u0026lt; 97.3.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.6,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":6.0},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.6,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":6.0}]},\"cisaExploitAdd\":\"2022-03-07\",\"cisaActionDue\":\"2022-03-21\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Mozilla Firefox Use-After-Free Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*\",\"versionEndExcluding\":\"91.6.1\",\"matchCriteriaId\":\"43351EFE-E64C-4ACD-A779-CBADE52E35B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*\",\"versionEndExcluding\":\"97.0.2\",\"matchCriteriaId\":\"E34F39EA-3536-47AE-948A-A1BE4FEBAA52\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*\",\"versionEndExcluding\":\"97.3.0\",\"matchCriteriaId\":\"CDD84821-8FA2-483B-995B-5C1F571D4247\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"97.3.0\",\"matchCriteriaId\":\"3F1EC4DF-B869-4BEB-BB9D-C629F82A9941\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"91.6.2\",\"matchCriteriaId\":\"FA3A4431-52FE-4BEE-A847-B500211A79AD\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1758070\",\"source\":\"security@mozilla.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2022-09/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1758070\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2022-09/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26486\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.mozilla.org/security/advisories/mfsa2022-09/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1758070\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T05:03:32.913Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-26486\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-28T21:24:00.039216Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-03-07\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26486\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2022-03-07T00:00:00.000Z\", \"value\": \"CVE-2022-26486 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26486\", \"tags\": [\"government-resource\"]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-28T21:23:47.153Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"Mozilla\", \"product\": \"Firefox\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"97.0.2\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Firefox ESR\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"91.6.1\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Firefox for Android\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"97.3.0\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Thunderbird\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"91.6.2\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Mozilla\", \"product\": \"Focus\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"97.3.0\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://www.mozilla.org/security/advisories/mfsa2022-09/\"}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1758070\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Use-after-free in WebGPU IPC Framework\"}]}], \"providerMetadata\": {\"orgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"shortName\": \"mozilla\", \"dateUpdated\": \"2022-12-22T00:00:00.000Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-26486\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:15:29.274Z\", \"dateReserved\": \"2022-03-04T00:00:00.000Z\", \"assignerOrgId\": \"f16b083a-5664-49f3-a51e-8d479e5ed7fe\", \"datePublished\": \"2022-12-22T00:00:00.000Z\", \"assignerShortName\": \"mozilla\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
CERTFR-2022-AVI-210
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Mozilla. Elles permettent à un attaquant de provoquer une exécution de code arbitraire et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Mozilla | Thunderbird | Thunderbird versions antérieures à 91.6.2 | ||
| Mozilla | Firefox | Firefox pour Android versions antérieures à 97.3 | ||
| Mozilla | Firefox ESR | Firefox ESR versions antérieures à 91.6.1 | ||
| Mozilla | N/A | Focus versions antérieures à 97.3 | ||
| Mozilla | Firefox | Firefox versions antérieures à 97.0.2 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Thunderbird versions ant\u00e9rieures \u00e0 91.6.2",
"product": {
"name": "Thunderbird",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Firefox pour Android versions ant\u00e9rieures \u00e0 97.3",
"product": {
"name": "Firefox",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Firefox ESR versions ant\u00e9rieures \u00e0 91.6.1",
"product": {
"name": "Firefox ESR",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Focus versions ant\u00e9rieures \u00e0 97.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Firefox versions ant\u00e9rieures \u00e0 97.0.2",
"product": {
"name": "Firefox",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-26485",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-26485"
},
{
"name": "CVE-2022-26486",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-26486"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-210",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-03-07T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nMozilla. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Mozilla",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla du 05 mars 2022",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/"
}
]
}
CERTFR-2022-AVI-210
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Mozilla. Elles permettent à un attaquant de provoquer une exécution de code arbitraire et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Mozilla | Thunderbird | Thunderbird versions antérieures à 91.6.2 | ||
| Mozilla | Firefox | Firefox pour Android versions antérieures à 97.3 | ||
| Mozilla | Firefox ESR | Firefox ESR versions antérieures à 91.6.1 | ||
| Mozilla | N/A | Focus versions antérieures à 97.3 | ||
| Mozilla | Firefox | Firefox versions antérieures à 97.0.2 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Thunderbird versions ant\u00e9rieures \u00e0 91.6.2",
"product": {
"name": "Thunderbird",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Firefox pour Android versions ant\u00e9rieures \u00e0 97.3",
"product": {
"name": "Firefox",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Firefox ESR versions ant\u00e9rieures \u00e0 91.6.1",
"product": {
"name": "Firefox ESR",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Focus versions ant\u00e9rieures \u00e0 97.3",
"product": {
"name": "N/A",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Firefox versions ant\u00e9rieures \u00e0 97.0.2",
"product": {
"name": "Firefox",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-26485",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-26485"
},
{
"name": "CVE-2022-26486",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-26486"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-210",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-03-07T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nMozilla. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Mozilla",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla du 05 mars 2022",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/"
}
]
}
alsa-2022:0818
Vulnerability from osv_almalinux
Published
2022-03-10 14:36
Modified
2022-03-10 21:25
Summary
Critical: firefox security update
Details
Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.
This update upgrades Firefox to version 91.7.0 ESR.
Security Fix(es):
-
Mozilla: Use-after-free in XSLT parameter processing (CVE-2022-26485)
-
Mozilla: Use-after-free in WebGPU IPC Framework (CVE-2022-26486)
-
expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235)
-
expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution (CVE-2022-25236)
-
expat: Integer overflow in storeRawNames() (CVE-2022-25315)
-
Mozilla: Use-after-free in text reflows (CVE-2022-26381)
-
Mozilla: Browser window spoof using fullscreen mode (CVE-2022-26383)
-
Mozilla: iframe allow-scripts sandbox bypass (CVE-2022-26384)
-
Mozilla: Time-of-check time-of-use bug when verifying add-on signatures (CVE-2022-26387)
-
Mozilla: Temporary files downloaded to /tmp and accessible by other local users (CVE-2022-26386)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "firefox"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "91.7.0-3.el8_5.alma"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 91.7.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Use-after-free in XSLT parameter processing (CVE-2022-26485)\n\n* Mozilla: Use-after-free in WebGPU IPC Framework (CVE-2022-26486)\n\n* expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235)\n\n* expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution (CVE-2022-25236)\n\n* expat: Integer overflow in storeRawNames() (CVE-2022-25315)\n\n* Mozilla: Use-after-free in text reflows (CVE-2022-26381)\n\n* Mozilla: Browser window spoof using fullscreen mode (CVE-2022-26383)\n\n* Mozilla: iframe allow-scripts sandbox bypass (CVE-2022-26384)\n\n* Mozilla: Time-of-check time-of-use bug when verifying add-on signatures (CVE-2022-26387)\n\n* Mozilla: Temporary files downloaded to /tmp and accessible by other local users (CVE-2022-26386)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"id": "ALSA-2022:0818",
"modified": "2022-03-10T21:25:28Z",
"published": "2022-03-10T14:36:51Z",
"references": [
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-25235"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-25236"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-25315"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-26381"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-26383"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-26384"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-26386"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-26387"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-26485"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-26486"
}
],
"related": [
"CVE-2022-26485",
"CVE-2022-26486",
"CVE-2022-25235",
"CVE-2022-25236",
"CVE-2022-25315",
"CVE-2022-26381",
"CVE-2022-26383",
"CVE-2022-26384",
"CVE-2022-26387",
"CVE-2022-26386"
],
"summary": "Critical: firefox security update"
}
alsa-2022:0845
Vulnerability from osv_almalinux
Published
2022-03-14 09:49
Modified
2022-03-15 08:56
Summary
Important: thunderbird security update
Details
Mozilla Thunderbird is a standalone mail and newsgroup client.
This update upgrades Thunderbird to version 91.7.0.
Security Fix(es):
-
Mozilla: Use-after-free in XSLT parameter processing (CVE-2022-26485)
-
Mozilla: Use-after-free in WebGPU IPC Framework (CVE-2022-26486)
-
expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235)
-
expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution (CVE-2022-25236)
-
expat: Integer overflow in storeRawNames() (CVE-2022-25315)
-
Mozilla: Use-after-free in text reflows (CVE-2022-26381)
-
Mozilla: Browser window spoof using fullscreen mode (CVE-2022-26383)
-
Mozilla: iframe allow-scripts sandbox bypass (CVE-2022-26384)
-
Mozilla: Time-of-check time-of-use bug when verifying add-on signatures (CVE-2022-26387)
-
thunderbird: Crafted email could trigger an out-of-bounds write (CVE-2022-0566)
-
Mozilla: Temporary files downloaded to /tmp and accessible by other local users (CVE-2022-26386)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
| URL | Type | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "thunderbird"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "91.7.0-2.el8_5.alma"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "thunderbird"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "91.7.0-2.el8_5.alma.plus"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Mozilla Thunderbird is a standalone mail and newsgroup client.\n\nThis update upgrades Thunderbird to version 91.7.0.\n\nSecurity Fix(es):\n\n* Mozilla: Use-after-free in XSLT parameter processing (CVE-2022-26485)\n\n* Mozilla: Use-after-free in WebGPU IPC Framework (CVE-2022-26486)\n\n* expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235)\n\n* expat: Namespace-separator characters in \"xmlns[:prefix]\" attribute values can lead to arbitrary code execution (CVE-2022-25236)\n\n* expat: Integer overflow in storeRawNames() (CVE-2022-25315)\n\n* Mozilla: Use-after-free in text reflows (CVE-2022-26381)\n\n* Mozilla: Browser window spoof using fullscreen mode (CVE-2022-26383)\n\n* Mozilla: iframe allow-scripts sandbox bypass (CVE-2022-26384)\n\n* Mozilla: Time-of-check time-of-use bug when verifying add-on signatures (CVE-2022-26387)\n\n* thunderbird: Crafted email could trigger an out-of-bounds write (CVE-2022-0566)\n\n* Mozilla: Temporary files downloaded to /tmp and accessible by other local users (CVE-2022-26386)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"id": "ALSA-2022:0845",
"modified": "2022-03-15T08:56:50Z",
"published": "2022-03-14T09:49:10Z",
"references": [
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-0566"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-25235"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-25236"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-25315"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-26381"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-26383"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-26384"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-26386"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-26387"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-26485"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2022-26486"
}
],
"related": [
"CVE-2022-26485",
"CVE-2022-26486",
"CVE-2022-25235",
"CVE-2022-25236",
"CVE-2022-25315",
"CVE-2022-26381",
"CVE-2022-26383",
"CVE-2022-26384",
"CVE-2022-26387",
"CVE-2022-0566",
"CVE-2022-26386"
],
"summary": "Important: thunderbird security update"
}
BDU:2022-01147
Vulnerability from fstec - Published: 05.03.2022
VLAI Severity ?
Title
Уязвимость программного интерфейса обработки 3D-графики и вычислений WebGPU браузеров Mozilla Firefox и Focus, позволяющая нарушителю выполнить произвольный код
Description
Уязвимость программного интерфейса обработки 3D-графики и вычислений WebGPU браузеров Mozilla Firefox и Focus связана с использованием памяти после ее освобождения. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код
Severity ?
Vendor
ООО «Ред Софт», ФССП России, Mozilla Corp., АО «ИВК», АО "НППКТ", АО «Концерн ВНИИНС»
Software Name
РЕД ОС (запись в едином реестре российских программ №3751), ОС ТД АИС ФССП России, Firefox, Firefox ESR, Focus, Альт 8 СП (запись в едином реестре российских программ №4305), ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), ОС ОН «Стрелец» (запись в едином реестре российских программ №6177)
Software Version
7.3 (РЕД ОС), ИК6 (ОС ТД АИС ФССП России), до 97.0.2 (Firefox), до 91.6.1 (Firefox ESR), до 97.3 (Firefox), до 97.3 (Focus), - (Альт 8 СП), до 2.4.3 (ОСОН ОСнова Оnyx), до 16.01.2023 (ОС ОН «Стрелец»)
Possible Mitigations
1. Использование рекомендаций производителя: https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/
2. Доступ только к доверенным Интернет-ресурсам
3. Использование межсетевого экрана
4. Запуск браузера от имени пользователя с минимальными привилегиями
Для РедОС:
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для ОС ТД АИС ФССП России:
https://goslinux.fssp.gov.ru/2726972/
Для ОС Альт 8 СП:
Обновление программного обеспечения до актуальной версии
Для ОСОН Основа:
Обновление программного обеспечения firefox-esr до версии 91.7.0esr+repack-1~deb10u1.osnova1
Для ОСОН Основа:
Обновление программного обеспечения thunderbird до версии 1:91.7.0+repack-2~deb10u1.osnova1
Для ОС ОН «Стрелец»:
Обновление программного обеспечения firefox-esr до версии 91.13.0esr+repack-1~deb10u1.osnova1.strelets
Обновление программного обеспечения thunderbird до версии 1:91.13.0+repack-1~deb10u1.osnova1.strelets
Reference
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
https://altsp.su/obnovleniya-bezopasnosti/
https://goslinux.fssp.gov.ru/2726972/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/
https://www.opennet.ru/opennews/art.shtml?num=56808
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.4.3/
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.4.3/
https://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.5/
https://bugzilla.mozilla.org/show_bug.cgi?id=1758070
CWE
CWE-416
{
"CVSS 2.0": "AV:N/AC:H/Au:N/C:C/I:C/A:C",
"CVSS 3.0": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438, Mozilla Corp., \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), \u0418\u041a6 (\u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438), \u0434\u043e 97.0.2 (Firefox), \u0434\u043e 91.6.1 (Firefox ESR), \u0434\u043e 97.3 (Firefox), \u0434\u043e 97.3 (Focus), - (\u0410\u043b\u044c\u0442 8 \u0421\u041f), \u0434\u043e 2.4.3 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), \u0434\u043e 16.01.2023 (\u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "1. \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/\n2. \u0414\u043e\u0441\u0442\u0443\u043f \u0442\u043e\u043b\u044c\u043a\u043e \u043a \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u043c \u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442-\u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\n3. \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u044d\u043a\u0440\u0430\u043d\u0430\n4. \u0417\u0430\u043f\u0443\u0441\u043a \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430 \u043e\u0442 \u0438\u043c\u0435\u043d\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0441 \u043c\u0438\u043d\u0438\u043c\u0430\u043b\u044c\u043d\u044b\u043c\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u044f\u043c\u0438\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: \nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f \u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438:\nhttps://goslinux.fssp.gov.ru/2726972/\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043e \u0430\u043a\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0441\u043d\u043e\u0432\u0430:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f firefox-esr \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 91.7.0esr+repack-1~deb10u1.osnova1\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0441\u043d\u043e\u0432\u0430:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f thunderbird \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1:91.7.0+repack-2~deb10u1.osnova1\n\n\u0414\u043b\u044f \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f firefox-esr \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 91.13.0esr+repack-1~deb10u1.osnova1.strelets\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f thunderbird \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1:91.13.0+repack-1~deb10u1.osnova1.strelets\n\n",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "05.03.2022",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "13.09.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "05.03.2022",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-01147",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-26486",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438, Firefox, Firefox ESR, Focus, \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438 \u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438 \u0418\u041a6 , \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb \u0434\u043e 16.01.2023 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438 3D-\u0433\u0440\u0430\u0444\u0438\u043a\u0438 \u0438 \u0432\u044b\u0447\u0438\u0441\u043b\u0435\u043d\u0438\u0439 WebGPU \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u0432 Mozilla Firefox \u0438 Focus, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043f\u043e\u0441\u043b\u0435 \u043e\u0441\u0432\u043e\u0431\u043e\u0436\u0434\u0435\u043d\u0438\u044f (CWE-416)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438 3D-\u0433\u0440\u0430\u0444\u0438\u043a\u0438 \u0438 \u0432\u044b\u0447\u0438\u0441\u043b\u0435\u043d\u0438\u0439 WebGPU \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u0432 Mozilla Firefox \u0438 Focus \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043f\u0430\u043c\u044f\u0442\u0438 \u043f\u043e\u0441\u043b\u0435 \u0435\u0435 \u043e\u0441\u0432\u043e\u0431\u043e\u0436\u0434\u0435\u043d\u0438\u044f. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "http://repo.red-soft.ru/redos/7.3c/x86_64/updates/\nhttps://altsp.su/obnovleniya-bezopasnosti/\nhttps://goslinux.fssp.gov.ru/2726972/\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2022-09/\nhttps://www.opennet.ru/opennews/art.shtml?num=56808\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.4.3/\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.4.3/\nhttps://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.5/\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1758070",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-416",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,6)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}
FKIE_CVE-2022-26486
Vulnerability from fkie_nvd - Published: 2022-12-22 20:15 - Updated: 2025-11-04 14:35
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.
References
| URL | Tags | ||
|---|---|---|---|
| security@mozilla.org | https://bugzilla.mozilla.org/show_bug.cgi?id=1758070 | Exploit, Issue Tracking, Vendor Advisory | |
| security@mozilla.org | https://www.mozilla.org/security/advisories/mfsa2022-09/ | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.mozilla.org/show_bug.cgi?id=1758070 | Exploit, Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.mozilla.org/security/advisories/mfsa2022-09/ | Exploit, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26486 | US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mozilla | firefox | * | |
| mozilla | firefox | * | |
| mozilla | firefox | * | |
| mozilla | firefox_focus | * | |
| mozilla | thunderbird | * |
{
"cisaActionDue": "2022-03-21",
"cisaExploitAdd": "2022-03-07",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Mozilla Firefox Use-After-Free Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*",
"matchCriteriaId": "43351EFE-E64C-4ACD-A779-CBADE52E35B3",
"versionEndExcluding": "91.6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*",
"matchCriteriaId": "E34F39EA-3536-47AE-948A-A1BE4FEBAA52",
"versionEndExcluding": "97.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*",
"matchCriteriaId": "CDD84821-8FA2-483B-995B-5C1F571D4247",
"versionEndExcluding": "97.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F1EC4DF-B869-4BEB-BB9D-C629F82A9941",
"versionEndExcluding": "97.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA3A4431-52FE-4BEE-A847-B500211A79AD",
"versionEndExcluding": "91.6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0."
},
{
"lang": "es",
"value": "Un mensaje inesperado en el framework IPC de WebGPU podr\u00eda provocar un escape de la sandbox explotable y de use-after-free. Hemos recibido informes de ataques en la naturaleza que abusan de esta falla. Esta vulnerabilidad afecta a Firefox \u0026lt; 97.0.2, Firefox ESR \u0026lt; 91.6.1, Firefox para Android \u0026lt; 97.3.0, Thunderbird \u0026lt; 91.6.2 y Focus \u0026lt; 97.3.0."
}
],
"id": "CVE-2022-26486",
"lastModified": "2025-11-04T14:35:12.657",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-12-22T20:15:22.797",
"references": [
{
"source": "security@mozilla.org",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758070"
},
{
"source": "security@mozilla.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758070"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26486"
}
],
"sourceIdentifier": "security@mozilla.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
GHSA-H9VH-VXG7-XMHH
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-10-22 00:32
VLAI?
Details
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.
Severity ?
9.6 (Critical)
{
"affected": [],
"aliases": [
"CVE-2022-26486"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "CRITICAL"
},
"details": "An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.",
"id": "GHSA-h9vh-vxg7-xmhh",
"modified": "2025-10-22T00:32:37Z",
"published": "2022-12-22T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26486"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758070"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26486"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-09"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GSD-2022-26486
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-26486",
"id": "GSD-2022-26486"
},
"gsd": {
"affected": [
{
"package": {
"ecosystem": "Mozilla",
"name": "Firefox"
},
"ranges": [
{
"events": [
{
"fixed": "97.0.2"
},
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"version": []
},
{
"package": {
"ecosystem": "Mozilla",
"name": "Firefox for Android"
},
"ranges": [
{
"events": [
{
"fixed": "97.3.0"
},
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"version": []
},
{
"package": {
"ecosystem": "Mozilla",
"name": "Focus"
},
"ranges": [
{
"events": [
{
"fixed": "97.3.0"
},
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"version": []
},
{
"package": {
"ecosystem": "Mozilla",
"name": "Firefox ESR"
},
"ranges": [
{
"events": [
{
"fixed": "91.6.1"
},
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"version": []
},
{
"package": {
"ecosystem": "Mozilla",
"name": "Thunderbird"
},
"ranges": [
{
"events": [
{
"fixed": "91.6.2"
},
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"version": []
}
],
"alias": [
"CVE-2022-26486"
],
"database_specific": {
"GSD": {
"alias": "CVE-2022-26486",
"id": "GSD-2022-26486",
"references": [
"https://www.suse.com/security/cve/CVE-2022-26486.html",
"https://www.debian.org/security/2022/dsa-5090",
"https://www.debian.org/security/2022/dsa-5094",
"https://access.redhat.com/errata/RHSA-2022:0824",
"https://access.redhat.com/errata/RHSA-2022:0818",
"https://access.redhat.com/errata/RHSA-2022:0817",
"https://access.redhat.com/errata/RHSA-2022:0816",
"https://access.redhat.com/errata/RHSA-2022:0815",
"https://ubuntu.com/security/CVE-2022-26486",
"https://advisories.mageia.org/CVE-2022-26486.html",
"https://linux.oracle.com/cve/CVE-2022-26486.html",
"https://access.redhat.com/errata/RHSA-2022:0843",
"https://access.redhat.com/errata/RHSA-2022:0845",
"https://access.redhat.com/errata/RHSA-2022:0847",
"https://access.redhat.com/errata/RHSA-2022:0850",
"https://access.redhat.com/errata/RHSA-2022:0853"
]
}
},
"details": "An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox for Android \u003c 97.3.0, Focus \u003c 97.3.0, Firefox ESR \u003c 91.6.1, and Thunderbird \u003c 91.6.2.",
"id": "GSD-2022-26486",
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"modified": "2022-09-27T16:35:17.062938Z",
"osvSchema": {
"aliases": [
"CVE-2022-26486"
],
"details": "An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.",
"id": "GSD-2022-26486",
"modified": "2023-12-13T01:19:39.543702Z",
"schema_version": "1.4.0"
},
"references": [
{
"type": "ADVISORY",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
},
{
"type": "ADVISORY",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758070"
},
{
"type": "ADVISORY",
"url": "https://www.suse.com/security/cve/CVE-2022-26486.html"
},
{
"type": "ADVISORY",
"url": "https://www.debian.org/security/2022/dsa-5090"
},
{
"type": "ADVISORY",
"url": "https://www.debian.org/security/2022/dsa-5094"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0824"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0818"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0817"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0816"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0815"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/CVE-2022-26486"
},
{
"type": "ADVISORY",
"url": "https://advisories.mageia.org/CVE-2022-26486.html"
},
{
"type": "ADVISORY",
"url": "https://linux.oracle.com/cve/CVE-2022-26486.html"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0843"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0845"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0847"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0850"
},
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2022:0853"
}
],
"schema_version": "1.3.0",
"summary": "An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox for Android \u003c 97.3.0, Focus \u003c 97.3.0, Firefox ESR \u003c 91.6.1, and Thunderbird \u003c 91.6.2."
},
"namespaces": {
"cisa.gov": {
"cveID": "CVE-2022-26486",
"dateAdded": "2022-03-07",
"dueDate": "2022-03-21",
"product": "Firefox",
"requiredAction": "Apply updates per vendor instructions.",
"shortDescription": "Mozilla Firefox contains a use-after-free vulnerability in WebGPU IPC Framework which can be exploited to perform arbitrary code execution.",
"vendorProject": "Mozilla",
"vulnerabilityName": "Mozilla Firefox Use-After-Free Vulnerability"
},
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2022-26486",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Firefox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "97.0.2"
}
]
}
},
{
"product_name": "Firefox ESR",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "91.6.1"
}
]
}
},
{
"product_name": "Firefox for Android",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "97.3.0"
}
]
}
},
{
"product_name": "Thunderbird",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "91.6.2"
}
]
}
},
{
"product_name": "Focus",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "97.3.0"
}
]
}
}
]
},
"vendor_name": "Mozilla"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use-after-free in WebGPU IPC Framework"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mozilla.org/security/advisories/mfsa2022-09/",
"refsource": "MISC",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
},
{
"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758070",
"refsource": "MISC",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758070"
}
]
}
},
"mozilla.org": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2022-26486"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Firefox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "97.0.2"
}
]
}
},
{
"product_name": "Firefox for Android",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "97.3.0"
}
]
}
},
{
"product_name": "Focus",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "97.3.0"
}
]
}
},
{
"product_name": "Firefox ESR",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "91.6.1"
}
]
}
},
{
"product_name": "Thunderbird",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "91.6.2"
}
]
}
}
]
},
"vendor_name": "Mozilla"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox for Android \u003c 97.3.0, Focus \u003c 97.3.0, Firefox ESR \u003c 91.6.1, and Thunderbird \u003c 91.6.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Use-after-free in WebGPU IPC Framework"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
},
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758070"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "97.3.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "97.0.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "91.6.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*",
"cpe_name": [],
"versionEndExcluding": "97.3.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "91.6.2",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2022-26486"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758070",
"refsource": "MISC",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1758070"
},
{
"name": "https://www.mozilla.org/security/advisories/mfsa2022-09/",
"refsource": "MISC",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2022-09/"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0
}
},
"lastModifiedDate": "2022-12-30T20:55Z",
"publishedDate": "2022-12-22T20:15Z"
}
}
}
OPENSUSE-SU-2022:0783-1
Vulnerability from csaf_opensuse - Published: 2022-03-09 14:16 - Updated: 2022-03-09 14:16Summary
Security update for MozillaFirefox
Severity
Important
Notes
Title of the patch: Security update for MozillaFirefox
Description of the patch: This update for MozillaFirefox fixes the following issues:
Firefox Extended Support Release 91.6.1 ESR (bsc#1196809):
- CVE-2022-26485: Use-after-free in XSLT parameter processing
- CVE-2022-26486: Use-after-free in WebGPU IPC Framework
Patchnames: openSUSE-SLE-15.3-2022-783,openSUSE-SLE-15.4-2022-783
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.8 (High)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.8 (High)
Affected products
Recommended
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
11 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://bugzilla.suse.com/1196809 | self |
| https://www.suse.com/security/cve/CVE-2022-26485/ | self |
| https://www.suse.com/security/cve/CVE-2022-26486/ | self |
| https://www.suse.com/security/cve/CVE-2022-26485 | external |
| https://bugzilla.suse.com/1196809 | external |
| https://www.suse.com/security/cve/CVE-2022-26486 | external |
| https://bugzilla.suse.com/1196809 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for MozillaFirefox",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for MozillaFirefox fixes the following issues:\n\nFirefox Extended Support Release 91.6.1 ESR (bsc#1196809):\n\n- CVE-2022-26485: Use-after-free in XSLT parameter processing\n- CVE-2022-26486: Use-after-free in WebGPU IPC Framework\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-SLE-15.3-2022-783,openSUSE-SLE-15.4-2022-783",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0783-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2022:0783-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IZLR36GLK5UWW34Z6YUDXKWIHXMQEYSY/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2022:0783-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IZLR36GLK5UWW34Z6YUDXKWIHXMQEYSY/"
},
{
"category": "self",
"summary": "SUSE Bug 1196809",
"url": "https://bugzilla.suse.com/1196809"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-26485 page",
"url": "https://www.suse.com/security/cve/CVE-2022-26485/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-26486 page",
"url": "https://www.suse.com/security/cve/CVE-2022-26486/"
}
],
"title": "Security update for MozillaFirefox",
"tracking": {
"current_release_date": "2022-03-09T14:16:49Z",
"generator": {
"date": "2022-03-09T14:16:49Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2022:0783-1",
"initial_release_date": "2022-03-09T14:16:49Z",
"revision_history": [
{
"date": "2022-03-09T14:16:49Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "MozillaFirefox-91.6.1-152.19.1.aarch64",
"product": {
"name": "MozillaFirefox-91.6.1-152.19.1.aarch64",
"product_id": "MozillaFirefox-91.6.1-152.19.1.aarch64"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
"product": {
"name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
"product_id": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
"product": {
"name": "MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
"product_id": "MozillaFirefox-devel-91.6.1-152.19.1.aarch64"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
"product": {
"name": "MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
"product_id": "MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
"product": {
"name": "MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
"product_id": "MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "MozillaFirefox-91.6.1-152.19.1.ppc64le",
"product": {
"name": "MozillaFirefox-91.6.1-152.19.1.ppc64le",
"product_id": "MozillaFirefox-91.6.1-152.19.1.ppc64le"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
"product": {
"name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
"product_id": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
"product": {
"name": "MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
"product_id": "MozillaFirefox-devel-91.6.1-152.19.1.ppc64le"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
"product": {
"name": "MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
"product_id": "MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
"product": {
"name": "MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
"product_id": "MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "MozillaFirefox-91.6.1-152.19.1.s390x",
"product": {
"name": "MozillaFirefox-91.6.1-152.19.1.s390x",
"product_id": "MozillaFirefox-91.6.1-152.19.1.s390x"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
"product": {
"name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
"product_id": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-devel-91.6.1-152.19.1.s390x",
"product": {
"name": "MozillaFirefox-devel-91.6.1-152.19.1.s390x",
"product_id": "MozillaFirefox-devel-91.6.1-152.19.1.s390x"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
"product": {
"name": "MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
"product_id": "MozillaFirefox-translations-common-91.6.1-152.19.1.s390x"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
"product": {
"name": "MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
"product_id": "MozillaFirefox-translations-other-91.6.1-152.19.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "MozillaFirefox-91.6.1-152.19.1.x86_64",
"product": {
"name": "MozillaFirefox-91.6.1-152.19.1.x86_64",
"product_id": "MozillaFirefox-91.6.1-152.19.1.x86_64"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
"product": {
"name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
"product_id": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
"product": {
"name": "MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
"product_id": "MozillaFirefox-devel-91.6.1-152.19.1.x86_64"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
"product": {
"name": "MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
"product_id": "MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64"
}
},
{
"category": "product_version",
"name": "MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64",
"product": {
"name": "MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64",
"product_id": "MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-91.6.1-152.19.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64"
},
"product_reference": "MozillaFirefox-91.6.1-152.19.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-91.6.1-152.19.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le"
},
"product_reference": "MozillaFirefox-91.6.1-152.19.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-91.6.1-152.19.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x"
},
"product_reference": "MozillaFirefox-91.6.1-152.19.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-91.6.1-152.19.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64"
},
"product_reference": "MozillaFirefox-91.6.1-152.19.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64"
},
"product_reference": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le"
},
"product_reference": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x"
},
"product_reference": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64"
},
"product_reference": "MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-devel-91.6.1-152.19.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64"
},
"product_reference": "MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-devel-91.6.1-152.19.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le"
},
"product_reference": "MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-devel-91.6.1-152.19.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x"
},
"product_reference": "MozillaFirefox-devel-91.6.1-152.19.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-devel-91.6.1-152.19.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64"
},
"product_reference": "MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64"
},
"product_reference": "MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le"
},
"product_reference": "MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-translations-common-91.6.1-152.19.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x"
},
"product_reference": "MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64"
},
"product_reference": "MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64"
},
"product_reference": "MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le"
},
"product_reference": "MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-translations-other-91.6.1-152.19.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x"
},
"product_reference": "MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
},
"product_reference": "MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-26485",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-26485"
}
],
"notes": [
{
"category": "general",
"text": "Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-26485",
"url": "https://www.suse.com/security/cve/CVE-2022-26485"
},
{
"category": "external",
"summary": "SUSE Bug 1196809 for CVE-2022-26485",
"url": "https://bugzilla.suse.com/1196809"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-09T14:16:49Z",
"details": "important"
}
],
"title": "CVE-2022-26485"
},
{
"cve": "CVE-2022-26486",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-26486"
}
],
"notes": [
{
"category": "general",
"text": "An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-26486",
"url": "https://www.suse.com/security/cve/CVE-2022-26486"
},
{
"category": "external",
"summary": "SUSE Bug 1196809 for CVE-2022-26486",
"url": "https://bugzilla.suse.com/1196809"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-branding-upstream-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-devel-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-translations-common-91.6.1-152.19.1.x86_64",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.aarch64",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.ppc64le",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.s390x",
"openSUSE Leap 15.3:MozillaFirefox-translations-other-91.6.1-152.19.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-09T14:16:49Z",
"details": "important"
}
],
"title": "CVE-2022-26486"
}
]
}
OPENSUSE-SU-2022:0804-1
Vulnerability from csaf_opensuse - Published: 2022-03-10 16:53 - Updated: 2022-03-10 16:53Summary
Security update for MozillaThunderbird
Severity
Important
Notes
Title of the patch: Security update for MozillaThunderbird
Description of the patch: This update for MozillaThunderbird fixes the following issues:
Mozilla Thunderbird 91.6.2 (bsc#1196809):
- CVE-2022-26485: Use-after-free in XSLT parameter processing
- CVE-2022-26486: Use-after-free in WebGPU IPC Framework
Patchnames: openSUSE-SLE-15.3-2022-804,openSUSE-SLE-15.4-2022-804
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.8 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.8 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
11 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://bugzilla.suse.com/1196809 | self |
| https://www.suse.com/security/cve/CVE-2022-26485/ | self |
| https://www.suse.com/security/cve/CVE-2022-26486/ | self |
| https://www.suse.com/security/cve/CVE-2022-26485 | external |
| https://bugzilla.suse.com/1196809 | external |
| https://www.suse.com/security/cve/CVE-2022-26486 | external |
| https://bugzilla.suse.com/1196809 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for MozillaThunderbird",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for MozillaThunderbird fixes the following issues:\n\nMozilla Thunderbird 91.6.2 (bsc#1196809):\n\n- CVE-2022-26485: Use-after-free in XSLT parameter processing\n- CVE-2022-26486: Use-after-free in WebGPU IPC Framework\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-SLE-15.3-2022-804,openSUSE-SLE-15.4-2022-804",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0804-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2022:0804-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2QKMX6IGL25P7OFW2JTNRZ4AD2EN4OAZ/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2022:0804-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2QKMX6IGL25P7OFW2JTNRZ4AD2EN4OAZ/"
},
{
"category": "self",
"summary": "SUSE Bug 1196809",
"url": "https://bugzilla.suse.com/1196809"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-26485 page",
"url": "https://www.suse.com/security/cve/CVE-2022-26485/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-26486 page",
"url": "https://www.suse.com/security/cve/CVE-2022-26486/"
}
],
"title": "Security update for MozillaThunderbird",
"tracking": {
"current_release_date": "2022-03-10T16:53:02Z",
"generator": {
"date": "2022-03-10T16:53:02Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2022:0804-1",
"initial_release_date": "2022-03-10T16:53:02Z",
"revision_history": [
{
"date": "2022-03-10T16:53:02Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "MozillaThunderbird-91.6.2-8.59.1.aarch64",
"product": {
"name": "MozillaThunderbird-91.6.2-8.59.1.aarch64",
"product_id": "MozillaThunderbird-91.6.2-8.59.1.aarch64"
}
},
{
"category": "product_version",
"name": "MozillaThunderbird-translations-common-91.6.2-8.59.1.aarch64",
"product": {
"name": "MozillaThunderbird-translations-common-91.6.2-8.59.1.aarch64",
"product_id": "MozillaThunderbird-translations-common-91.6.2-8.59.1.aarch64"
}
},
{
"category": "product_version",
"name": "MozillaThunderbird-translations-other-91.6.2-8.59.1.aarch64",
"product": {
"name": "MozillaThunderbird-translations-other-91.6.2-8.59.1.aarch64",
"product_id": "MozillaThunderbird-translations-other-91.6.2-8.59.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "MozillaThunderbird-91.6.2-8.59.1.ppc64le",
"product": {
"name": "MozillaThunderbird-91.6.2-8.59.1.ppc64le",
"product_id": "MozillaThunderbird-91.6.2-8.59.1.ppc64le"
}
},
{
"category": "product_version",
"name": "MozillaThunderbird-translations-common-91.6.2-8.59.1.ppc64le",
"product": {
"name": "MozillaThunderbird-translations-common-91.6.2-8.59.1.ppc64le",
"product_id": "MozillaThunderbird-translations-common-91.6.2-8.59.1.ppc64le"
}
},
{
"category": "product_version",
"name": "MozillaThunderbird-translations-other-91.6.2-8.59.1.ppc64le",
"product": {
"name": "MozillaThunderbird-translations-other-91.6.2-8.59.1.ppc64le",
"product_id": "MozillaThunderbird-translations-other-91.6.2-8.59.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "MozillaThunderbird-91.6.2-8.59.1.s390x",
"product": {
"name": "MozillaThunderbird-91.6.2-8.59.1.s390x",
"product_id": "MozillaThunderbird-91.6.2-8.59.1.s390x"
}
},
{
"category": "product_version",
"name": "MozillaThunderbird-translations-common-91.6.2-8.59.1.s390x",
"product": {
"name": "MozillaThunderbird-translations-common-91.6.2-8.59.1.s390x",
"product_id": "MozillaThunderbird-translations-common-91.6.2-8.59.1.s390x"
}
},
{
"category": "product_version",
"name": "MozillaThunderbird-translations-other-91.6.2-8.59.1.s390x",
"product": {
"name": "MozillaThunderbird-translations-other-91.6.2-8.59.1.s390x",
"product_id": "MozillaThunderbird-translations-other-91.6.2-8.59.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "MozillaThunderbird-91.6.2-8.59.1.x86_64",
"product": {
"name": "MozillaThunderbird-91.6.2-8.59.1.x86_64",
"product_id": "MozillaThunderbird-91.6.2-8.59.1.x86_64"
}
},
{
"category": "product_version",
"name": "MozillaThunderbird-translations-common-91.6.2-8.59.1.x86_64",
"product": {
"name": "MozillaThunderbird-translations-common-91.6.2-8.59.1.x86_64",
"product_id": "MozillaThunderbird-translations-common-91.6.2-8.59.1.x86_64"
}
},
{
"category": "product_version",
"name": "MozillaThunderbird-translations-other-91.6.2-8.59.1.x86_64",
"product": {
"name": "MozillaThunderbird-translations-other-91.6.2-8.59.1.x86_64",
"product_id": "MozillaThunderbird-translations-other-91.6.2-8.59.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaThunderbird-91.6.2-8.59.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.aarch64"
},
"product_reference": "MozillaThunderbird-91.6.2-8.59.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaThunderbird-91.6.2-8.59.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.ppc64le"
},
"product_reference": "MozillaThunderbird-91.6.2-8.59.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaThunderbird-91.6.2-8.59.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.s390x"
},
"product_reference": "MozillaThunderbird-91.6.2-8.59.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaThunderbird-91.6.2-8.59.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.x86_64"
},
"product_reference": "MozillaThunderbird-91.6.2-8.59.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaThunderbird-translations-common-91.6.2-8.59.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.aarch64"
},
"product_reference": "MozillaThunderbird-translations-common-91.6.2-8.59.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaThunderbird-translations-common-91.6.2-8.59.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.ppc64le"
},
"product_reference": "MozillaThunderbird-translations-common-91.6.2-8.59.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaThunderbird-translations-common-91.6.2-8.59.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.s390x"
},
"product_reference": "MozillaThunderbird-translations-common-91.6.2-8.59.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaThunderbird-translations-common-91.6.2-8.59.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.x86_64"
},
"product_reference": "MozillaThunderbird-translations-common-91.6.2-8.59.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaThunderbird-translations-other-91.6.2-8.59.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.aarch64"
},
"product_reference": "MozillaThunderbird-translations-other-91.6.2-8.59.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaThunderbird-translations-other-91.6.2-8.59.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.ppc64le"
},
"product_reference": "MozillaThunderbird-translations-other-91.6.2-8.59.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaThunderbird-translations-other-91.6.2-8.59.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.s390x"
},
"product_reference": "MozillaThunderbird-translations-other-91.6.2-8.59.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "MozillaThunderbird-translations-other-91.6.2-8.59.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.x86_64"
},
"product_reference": "MozillaThunderbird-translations-other-91.6.2-8.59.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-26485",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-26485"
}
],
"notes": [
{
"category": "general",
"text": "Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.x86_64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.x86_64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-26485",
"url": "https://www.suse.com/security/cve/CVE-2022-26485"
},
{
"category": "external",
"summary": "SUSE Bug 1196809 for CVE-2022-26485",
"url": "https://bugzilla.suse.com/1196809"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.x86_64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.x86_64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.x86_64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.x86_64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-10T16:53:02Z",
"details": "important"
}
],
"title": "CVE-2022-26485"
},
{
"cve": "CVE-2022-26486",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-26486"
}
],
"notes": [
{
"category": "general",
"text": "An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox \u003c 97.0.2, Firefox ESR \u003c 91.6.1, Firefox for Android \u003c 97.3.0, Thunderbird \u003c 91.6.2, and Focus \u003c 97.3.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.x86_64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.x86_64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-26486",
"url": "https://www.suse.com/security/cve/CVE-2022-26486"
},
{
"category": "external",
"summary": "SUSE Bug 1196809 for CVE-2022-26486",
"url": "https://bugzilla.suse.com/1196809"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.x86_64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.x86_64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-91.6.2-8.59.1.x86_64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-translations-common-91.6.2-8.59.1.x86_64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.aarch64",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.ppc64le",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.s390x",
"openSUSE Leap 15.3:MozillaThunderbird-translations-other-91.6.2-8.59.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-03-10T16:53:02Z",
"details": "important"
}
],
"title": "CVE-2022-26486"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…