An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HMozilla Firefox
APPMozilla< 91.6.1< 97.0.2< 97.3.0Mozilla Firefox Focus
APPMozilla< 97.3.0Mozilla Thunderbird
APPMozilla< 91.6.2
CISA KEV — detailsi
- Vendori
- Mozilla ↗
- Producti
- Firefox
- Added to KEVi
- March 7, 2022
- Remediation deadline (US Federal)i
- March 21, 2022(overdue)
Apply updates per vendor instructions.
Mozilla Firefox contains a use-after-free vulnerability in WebGPU IPC Framework which can be exploited to perform arbitrary code execution.
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...
Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird ...