CVE-2022-26486

Publication date 6 March 2022

Last updated 21 August 2024


Ubuntu priority

Cvss 3 Severity Score

9.6 · Critical

Score breakdown

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

Read the notes from the security team

Status

Package Ubuntu Release Status
firefox 23.04 lunar
Fixed 1:1snap1-0ubuntu1
22.10 kinetic
Fixed 1:1snap1-0ubuntu1
22.04 LTS jammy
Fixed 1:1snap1-0ubuntu1
21.10 impish
Fixed 97.0.2+build1-0ubuntu0.21.10.1
20.04 LTS focal
Fixed 97.0.2+build1-0ubuntu0.20.04.1
18.04 LTS bionic
Fixed 97.0.2+build1-0ubuntu0.18.04.1

Notes


tyhicks

mozjs contains a copy of the SpiderMonkey JavaScript engine

Severity score breakdown

Parameter Value
Base score 9.6 · Critical
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Changed
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H