Cyber Resilience

CVE-2022-26485

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 22 December 2022

Published
22 December 2022
Modified
04 November 2025
KEV Added
07 March 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0285 86.6th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26485 is a high-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 13.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

CVE-2022-26485 is a use-after-free vulnerability (CWE-416) that arises when an XSLT parameter is removed during processing. It affects Firefox versions prior to 97.0.2, Firefox ESR prior to 91.6.1, Firefox for Android prior to 97.3.0, Thunderbird prior to 91.6.2, and Focus prior to 97.3.0. The flaw received a CVSS 3.1 score of 8.8.

An attacker can exploit the issue by serving malicious content that triggers the use-after-free condition, leading to arbitrary code execution with the privileges of the affected application. Exploitation requires user interaction such as visiting a crafted web page or opening a malicious email attachment, and in-the-wild attacks abusing the flaw have been reported.

Mozilla security advisories MFSA2022-09 recommend upgrading to the fixed versions listed above. The vulnerability also appears in the CISA Known Exploited Vulnerabilities catalog, confirming that federal agencies must apply the patches.

EPSS for the CVE rose from a low baseline after disclosure to a peak of 0.1738 on 2023-02-01 before receding to the current value of 0.0285, indicating a period of increased exploitation interest following public release.

EU & UK References

Vulnerability details

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0,…

more

Thunderbird < 91.6.2, and Focus < 97.3.0.

CWE(s)
KEV Date Added
07 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mozilla
firefox
≤ 91.6.1 · ≤ 97.0.2 · ≤ 97.3.0
mozilla
firefox focus
≤ 97.3.0
mozilla
thunderbird
≤ 91.6.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patches that correct the XSLT parameter-handling logic and eliminate the use-after-free.

prevent

Memory-protection mechanisms (e.g., ASLR, guard pages, pointer authentication) make reliable exploitation of the use-after-free far more difficult.

SC-18 Mobile Code partial match
prevent

Restricts or sandbox-executes mobile code such as XSLT stylesheets before they can trigger the vulnerable parameter-removal path.

References