CVE-2022-26485
Published: 22 December 2022
Summary
CVE-2022-26485 is a high-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 13.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
CVE-2022-26485 is a use-after-free vulnerability (CWE-416) that arises when an XSLT parameter is removed during processing. It affects Firefox versions prior to 97.0.2, Firefox ESR prior to 91.6.1, Firefox for Android prior to 97.3.0, Thunderbird prior to 91.6.2, and Focus prior to 97.3.0. The flaw received a CVSS 3.1 score of 8.8.
An attacker can exploit the issue by serving malicious content that triggers the use-after-free condition, leading to arbitrary code execution with the privileges of the affected application. Exploitation requires user interaction such as visiting a crafted web page or opening a malicious email attachment, and in-the-wild attacks abusing the flaw have been reported.
Mozilla security advisories MFSA2022-09 recommend upgrading to the fixed versions listed above. The vulnerability also appears in the CISA Known Exploited Vulnerabilities catalog, confirming that federal agencies must apply the patches.
EPSS for the CVE rose from a low baseline after disclosure to a peak of 0.1738 on 2023-02-01 before receding to the current value of 0.0285, indicating a period of increased exploitation interest following public release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31043
Vulnerability details
Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0,…
more
Thunderbird < 91.6.2, and Focus < 97.3.0.
- CWE(s)
- KEV Date Added
- 07 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patches that correct the XSLT parameter-handling logic and eliminate the use-after-free.
Memory-protection mechanisms (e.g., ASLR, guard pages, pointer authentication) make reliable exploitation of the use-after-free far more difficult.
Restricts or sandbox-executes mobile code such as XSLT stylesheets before they can trigger the vulnerable parameter-removal path.