CVE-2022-26485

Publication date 6 March 2022

Last updated 25 August 2025

Ubuntu priority

High

Why this priority?

Cvss 3 Severity Score

8.8 · High

Score breakdown

Description

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

Read the notes from the security team

Status

Package Ubuntu Release Status
firefox 23.04 lunar
Fixed 1:1snap1-0ubuntu1
22.10 kinetic
Fixed 1:1snap1-0ubuntu1
22.04 LTS jammy
Fixed 1:1snap1-0ubuntu1
21.10 impish
Fixed 97.0.2+build1-0ubuntu0.21.10.1
20.04 LTS focal
Fixed 97.0.2+build1-0ubuntu0.20.04.1
18.04 LTS bionic
Fixed 97.0.2+build1-0ubuntu0.18.04.1

Notes

tyhicks

mozjs contains a copy of the SpiderMonkey JavaScript engine

Severity score breakdown

CVSS version: CVSS v3.0

Base score 8.8 · High

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

Other references

Access our resources on patching vulnerabilities