CVE-2022-28282Use After Free in Mozilla Firefox

CWE-416Use After Free13 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
5.3%
top 9.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird
Timeline
PublishedDec 22

Description

By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages9 packages

CVEListV5mozilla/firefoxunspecified99
NVDmozilla/firefox< 99.0
CVEListV5mozilla/firefox_esrunspecified91.8
Ubuntumozilla/firefox< 99.0+build2-0ubuntu0.18.04.2+1

🔴Vulnerability Details

5
CVEList
CVE-2022-28282: By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then refere2022-12-22
GHSA
GHSA-mp96-4frc-r2pg: By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then refere2022-12-22
OSV
CVE-2022-28282: By using a link with rel="localization" a use-after-free could have been triggered by destroying an object during JavaScript execution and then refere2022-12-22
OSV
thunderbird vulnerabilities2022-04-27
OSV
firefox vulnerabilities2022-04-07

📋Vendor Advisories

7
Ubuntu
Thunderbird vulnerabilities2022-04-27
Ubuntu
Firefox vulnerabilities2022-04-07
Red Hat
Mozilla: Use-after-free in DocumentL10n::TranslateDocument2022-04-05
Debian
CVE-2022-28282: firefox - By using a link with <code>rel="localization"</code> a use-after-free could have...2022
Mozilla
Mozilla Foundation Security Advisory 2022-14: CVE-2022-28282
CVE-2022-28282 — Use After Free in Mozilla Firefox | cvebase