Cyber Resilience

CVE-2022-26486

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 22 December 2022

Published
22 December 2022
Modified
04 November 2025
KEV Added
07 March 2022
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0253 85.8th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26486 is a critical-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 14.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability CVE-2022-26486 is a use-after-free flaw (CWE-416) in the WebGPU IPC framework that can produce an exploitable sandbox escape. It affects Firefox versions before 97.0.2, Firefox ESR before 91.6.1, Firefox for Android before 97.3.0, Thunderbird before 91.6.2, and Focus before 97.3.0.

An attacker can trigger the flaw by delivering an unexpected IPC message, enabling a sandbox escape with high impact on confidentiality, integrity, and availability. The attack requires user interaction over the network and has been observed in real-world exploitation.

Mozilla addressed the issue in advisory MFSA2022-09 by releasing the fixed versions listed above; the CVE is also tracked in the CISA known exploited vulnerabilities catalog.

The EPSS score rose from a low baseline to a peak of 0.0560 before receding to the current value of 0.0253, aligning with confirmed in-the-wild attacks after disclosure.

EU & UK References

Vulnerability details

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox…

more

for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

CWE(s)
KEV Date Added
07 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mozilla
firefox
≤ 91.6.1 · ≤ 97.0.2 · ≤ 97.3.0
mozilla
firefox focus
≤ 97.3.0
mozilla
thunderbird
≤ 91.6.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches that eliminate the use-after-free in the WebGPU IPC path before exploitation can occur.

prevent

Mandates validation and sanitization of all input messages, which would have rejected the unexpected IPC message that triggers the UAF condition.

prevent

Requires memory-safety protections that reduce the likelihood a use-after-free can be turned into a reliable sandbox escape.

References