CVE-2022-26485

Publication date 6 March 2022

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

Removing an XSLT parameter during processing could have lead to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
firefox	23.04 lunar	Fixed 1:1snap1-0ubuntu1
	22.10 kinetic	Fixed 1:1snap1-0ubuntu1
	22.04 LTS jammy	Fixed 1:1snap1-0ubuntu1
	21.10 impish	Fixed 97.0.2+build1-0ubuntu0.21.10.1
	20.04 LTS focal	Fixed 97.0.2+build1-0ubuntu0.20.04.1
	18.04 LTS bionic	Fixed 97.0.2+build1-0ubuntu0.18.04.1

Notes

tyhicks

mozjs contains a copy of the SpiderMonkey JavaScript engine

Severity score breakdown

Parameter	Value
Base score	8.8 · High
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-5314-1
Firefox vulnerabilities
6 March 2022