CVE-2022-26485

CVE Database · CVE-2022-26485

CVE-2022-26485

· HIGHAnalyzed

CVSS v3.1

8.8

EPSS

14.26%

Published

Dec 22, 2022

Modified

Nov 4, 2025

CISA Known Exploited Vulnerability

Added: 2022-03-07 · Due: 2022-03-21

Apply updates per vendor instructions.

Public PoC / Exploit (2)

All weaponized →

TrickestTrickest PoC index GitHub PoCmistymntncop/CVE-2022-26485★17

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-416CWE-416

Affected Products (5)

mozilla · firefox (up to 91.6.1)vulnerable

mozilla · firefox (up to 97.0.2)vulnerable

mozilla · firefox (up to 97.3.0)vulnerable

mozilla · firefox_focus (up to 97.3.0)vulnerable

mozilla · thunderbird (up to 91.6.2)vulnerable

References (5)

https://bugzilla.mozilla.org/show_bug.cgi?id=1758062