Lucene search

K
cveMozillaCVE-2022-26486
HistoryDec 22, 2022 - 8:15 p.m.

CVE-2022-26486

2022-12-2220:15:22
CWE-416
mozilla
web.nvd.nist.gov
1293
In Wild
2
21
cve-2022-26486
webgpu
ipc framework
use-after-free
sandbox escape
firefox
thunderbird
focus
nvd
security vulnerability

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.003

Percentile

68.1%

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

Affected configurations

Nvd
Vulners
Node
mozillafirefoxRange<97.0.2
OR
mozillafirefoxRange<97.3.0android
OR
mozillafirefox_esrRange<91.6.1
OR
mozillafirefox_focusRange<97.3.0
OR
mozillathunderbirdRange<91.6.2
VendorProductVersionCPE
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*
mozillafirefox_esr*cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
mozillafirefox_focus*cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:*:*:*
mozillathunderbird*cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "Mozilla",
    "product": "Firefox",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "97.0.2",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "Mozilla",
    "product": "Firefox ESR",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "91.6.1",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "Mozilla",
    "product": "Firefox for Android",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "97.3.0",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "Mozilla",
    "product": "Thunderbird",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "91.6.2",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  },
  {
    "vendor": "Mozilla",
    "product": "Focus",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "97.3.0",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

Social References

More

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.003

Percentile

68.1%