CVE-2022-38477/CVE-2022-38478: Firefox arbitrary code execution flaws

Mozilla this week announced the availability of Firefox 104 and ESR 102.2, and 91.13 in the stable channel with patches for 6 vulnerabilities, including four high-severity bugs. The new versions patch two critical memory corruption vulnerabilities that can achieve arbitrary code execution.

In its advisory for the vulnerability – the bugs tracked as CVE-2022-38477 and CVE-2022-38478, are high-severity memory safety bug within the browser engine, which could have been exploited to run arbitrary code. By tricking a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2022-38477 and CVE-2022-38478 vulnerabilities were reported by Mozilla developer Nika Layzell and the Mozilla Fuzzing Team.

CVE-2022-38472 and CVE-2022-38473, two high-severity flaws addressed in Firefox 104, could “fool the user into submitting data intended for the spoofed origin” and ” inherit the parent domain’s permissions (such as microphone or camera access).”

The new Firefox release also resolves CVE-2022-38474 and CVE-2022-38475, issues that allow to“record audio without the audio notification being shown” and “write a value to a zero-length array.”

Security researchers Christian Holler, Agi Sferro, and Armin Ebert have been credited with discovering and reporting the shortcomings.

Mozilla is not aware of any attacks exploiting this vulnerability and there does not appear to be public knowledge of the flaws.

We advised users and administrators to review Mozilla’s advisory and take action as necessary. A patch is included in Firefox Firefox 104 and ESR 102.2, and 91.13.