CVE-2022-26485 - Critical Use-After-Free Vulnerability in XSLT Parameter Processing Impacting Popular Browsers and Email Clients

A critical use-after-free vulnerability (CVE-2022-26485) has been identified in multiple prominent browsers and email clients, including Firefox, Firefox ESR, Firefox for Android, Thunderbird, and Focus. This vulnerability can be exploited by attackers to potentially execute arbitrary code on affected systems. Reports have confirmed that this flaw is being exploited in the wild.

Details of the Vulnerability

The vulnerability stems from the improper handling of an XSLT parameter during processing. Removing the parameter can lead to an exploitable use-after-free situation, allowing an attacker to potentially execute arbitrary code. It affects the following software versions:

Attack Scenario

An attacker typically crafts a malicious webpage or email containing an XML document and an XSLT stylesheet. The XSLT processing of the XML document with a manipulated stylesheet would then trigger the use-after-free vulnerability. The attacker could exploit this flaw to execute arbitrary code on the target system or cause a denial of service.

An example of a malicious XML document and XSLT stylesheet

<?xml version="1."?>
<?xml-stylesheet type="text/xsl" href="malicious.xsl"?>
<document>
  <data>sample data</data>
</document>

An example of a manipulated XSLT stylesheet (malicious.xsl)

<xsl:stylesheet version="1." xmlns:xsl="http://www.w3.org/1999/XSL/Transform">;
  <xsl:param name="paramToRemove" select="'value'"/>

  <xsl:template match="/">
    <root>
      <xsl:apply-templates select="document/data"/>
    </root>
  </xsl:template>

  <xsl:template match="data">
    <xsl:value-of select="."/>
    <!-- Remove the param during processing to trigger use-after-free -->
    <xsl:if test="$paramToRemove != ''">
      <xsl:message terminate="yes">Terminating processing</xsl:message>
    </xsl:if>
  </xsl:template>
</xsl:stylesheet>

Mitigation

Users are advised to update their software to the latest versions, which have patches available to fix this vulnerability:

Original References

1. Mozilla Foundation Security Advisory 2023-03
2. CVE-2022-26485 - NVD
3. Firefox release notes
4. Thunderbird release notes
5. Focus release notes

Conclusion

All users of affected software should ensure that their systems are promptly updated to the latest patched versions. Employing good security practices, such as avoiding clicking on suspicious links or opening unexpected emails, can also help to mitigate the risk associated with this vulnerability.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 16:22:00 UTC