CVE-2022-26486 An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw.
The issue is triggered when WebGPU is enabled in a site and a malformed message is received by the browser. By sending a malformed message,
CVE-2022-31737 An attacker wrote code outside of WebGL memory, which could lead to memory corruption and a crash.
A malicious website could cause a user to inadvertently click a malicous link, leading to code execution. This vulnerability affects Thunderbird 91.10, Firefox 101,
CVE-2022-31748 Gabriele Svelto, Timothy Nikkel, Randell Jesup, and the Mozilla Fuzzing Team found memory safety bugs in Firefox 100.
It is likely that some of these issues were discovered by automated tools. For example, it is possible to use the Google fuzzing framework to
CVE-2022-29917 Mozilla developers found memory safety bugs in Firefox 99 and Firefox ESR 91.8.
This issue was fixed in Thunderbird 24.3.0.1, ESR 24.3.0.1, and Firefox 27.0.1. If you are running any
CVE-2022-22756 Drag and drop of an image could lead to file being changed to run arbitrary code after user clicks.
Mozilla was aware of the issue since late 2015 and issued an advisory with the details. However, the browser’s default setting did not prompt
Episode
00:00:00
00:00:00