Mozilla releases emergency update to fix two exploited zero-day vulnerabilities in Firefox

According to the official news released by Mozilla, Firefox v97.0.2 has now been released and is being pushed to all users through the built-in update program. This version does not contain any new features or changes but is only released to fix two newly discovered zero-day vulnerabilities in the Firefox browser, and the vulnerability level is high risk.

Firefox zero-day vulnerabilities
It is worth noting that according to the instructions of Mozilla, both zero-day vulnerabilities in Firefox have been exploited in the wild, which can be used to remotely execute code and escape. Therefore, the vulnerability is very dangerous and can easily be used by highly skilled hackers to cause the system to be invaded. It is recommended that Firefox browser users check and install the new version immediately.
The zero-day vulnerabilities fixed by Mozilla are:

  • CVE-2022-26485: Use-after-free in XSLT parameter processing – Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw.
  • CVE-2022-26486: Use-after-free in WebGPU IPC Framework – An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw.
Users who already have Firefox installed can go directly to the About page, where Firefox will automatically look for available updates and install them automatically, etc. In addition, the fixes released this time also apply to Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0. Users who use the above versions should also update to the latest version in time.