CVE-2022-26486

Publication date 6 March 2022

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw. This vulnerability affects Firefox < 97.0.2, Firefox ESR < 91.6.1, Firefox for Android < 97.3.0, Thunderbird < 91.6.2, and Focus < 97.3.0.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
firefox	23.04 lunar	Fixed 1:1snap1-0ubuntu1
	22.10 kinetic	Fixed 1:1snap1-0ubuntu1
	22.04 LTS jammy	Fixed 1:1snap1-0ubuntu1
	21.10 impish	Fixed 97.0.2+build1-0ubuntu0.21.10.1
	20.04 LTS focal	Fixed 97.0.2+build1-0ubuntu0.20.04.1
	18.04 LTS bionic	Fixed 97.0.2+build1-0ubuntu0.18.04.1

Notes

tyhicks

mozjs contains a copy of the SpiderMonkey JavaScript engine

Severity score breakdown

Parameter	Value
Base score	9.6 · Critical
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Changed
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-5314-1
Firefox vulnerabilities
6 March 2022