Overview
- Description
- An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.
- Source
- security@mozilla.org
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 9.6
- Impact score
- 6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- Severity
- CRITICAL
Known exploits
Data from CISA
- Vulnerability name
- Mozilla Firefox Use-After-Free Vulnerability
- Exploit added on
- Mar 7, 2022
- Exploit action due
- Mar 21, 2022
- Required action
- Apply updates per vendor instructions.
Weaknesses
- nvd@nist.gov
- CWE-416
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9D8E2245-D602-42F5-AA80-B3CFA666E595",
"versionEndExcluding": "97.0.2"
},
{
"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*",
"vulnerable": true,
"matchCriteriaId": "CDD84821-8FA2-483B-995B-5C1F571D4247",
"versionEndExcluding": "97.3.0"
},
{
"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4AE9257B-B169-42AF-82C6-EF62FDFE2110",
"versionEndExcluding": "91.6.1"
},
{
"criteria": "cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3F1EC4DF-B869-4BEB-BB9D-C629F82A9941",
"versionEndExcluding": "97.3.0"
},
{
"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FA3A4431-52FE-4BEE-A847-B500211A79AD",
"versionEndExcluding": "91.6.2"
}
],
"operator": "OR"
}
]
}
]