CVE-2022-26485

What is Mozilla Firefox XSLT Processing?

XSLT (Extensible Stylesheet Language Transformations) is an XML-based language for transforming XML documents into other formats. Firefox includes a built-in XSLT processor that handles XSL stylesheets encountered in web content. The XSLT processor manages XSLT parameters — named values passed to a stylesheet during transformation — as JavaScript-accessible objects. Use-after-free vulnerabilities in the XSLT parameter handling code arise when a parameter object is freed from memory while a JavaScript reference to it remains live; subsequent access through that stale reference corrupts heap state, enabling arbitrary code execution. Firefox's XSLT implementation is shared across Firefox, Firefox ESR, and Thunderbird (which also renders HTML content via the Gecko engine).

Overview

CVE-2022-26485 is a use-after-free vulnerability (CWE-416) in Mozilla Firefox's XSLT parameter processing that allows an attacker to achieve arbitrary code execution by serving a maliciously crafted web page containing XSLT content. Mozilla patched it on March 5, 2022 as an emergency out-of-band release (Firefox 97.0.2, ESR 91.6.1, Thunderbird 91.6.2) alongside companion zero-day CVE-2022-26486 (another Firefox use-after-free). CISA added CVE-2022-26485 to the KEV catalog 2 days after patching — the datePublished of December 22, 2022 is a NVD registration artifact 9 months later, not the actual disclosure or patch date.

Affected Versions

Technical Details

Use-after-free (CWE-416) in Firefox's XSLT parameter processor occurs during the lifecycle management of XSLT parameter objects. When an XSLT stylesheet is processed with parameters, Firefox creates parameter objects and makes them accessible to the XSLT processor and potentially to JavaScript. The vulnerability arises when a parameter object is freed — through a style sheet removal, parameter reset, or garbage collection triggered by crafted JavaScript — while the XSLT processor still holds a live reference to that object. Subsequent access through the stale pointer reads or writes into memory that may have been reclaimed and repurposed, enabling heap corruption.

The exploit chain:

1. Serve malicious web content — deliver a page with crafted XSLT stylesheet and accompanying JavaScript that triggers the specific parameter object lifecycle sequence
2. Trigger the use-after-free — the parameter object is freed while still referenced by the XSLT processor; the attacker controls what occupies the freed memory
3. Achieve heap corruption — the stale pointer dereference writes attacker-controlled data into the reallocated memory region
4. Execute arbitrary code — with heap corruption, redirect the Firefox renderer process execution to attacker-supplied shellcode

CVE-2022-26485 was patched in the same emergency release as CVE-2022-26486, a separate use-after-free in Firefox's WebGPU IPC framework — both were confirmed as actively exploited zero-days at the time of the emergency release.

Discovery

CVE-2022-26485 was reported to Mozilla by Wang Gang, Liu Jialei, Du Sihang, Zeng Peng, and Zhu Kedong of 360 ATA (Advanced Threat Analysis), a Chinese security research team. The team reported both CVE-2022-26485 and CVE-2022-26486 simultaneously as actively exploited zero-days, prompting Mozilla's emergency March 5, 2022 release. The rapid KEV addition (March 7) confirms the active exploitation was already known to CISA at patch time.

The datePublished: "2022-12-22" in NVD is purely a registration artifact — the actual patch, KEV addition, and active exploitation all occurred in March 2022.

Exploitation Context

Mozilla's emergency out-of-band patch release was a strong signal of confirmed in-the-wild exploitation at the time of disclosure. The March 2022 emergency release was one of only a few emergency Firefox patches in that year, and the simultaneous patching of two use-after-free zero-days (CVE-2022-26485 and CVE-2022-26486) suggests a sophisticated attack chain. Firefox zero-day exploitation typically targets:

• Enterprise and government employees who use Firefox as their primary browser
• Organizations that have not deployed automatic browser update policies
• Users of Firefox ESR (Extended Support Release) common in enterprise environments, where ESR update cycles can lag current releases

The 2-day KEV add reflects that CISA was informed of active exploitation concurrent with Mozilla's disclosure.

Remediation

1. Update Firefox to 97.0.2 or later — the emergency patch was released March 5, 2022; ensure all Firefox installations are current.
2. Update Firefox ESR to 91.6.1 or later — enterprise deployments using Firefox ESR are also affected; apply the emergency ESR update.
3. Update Thunderbird to 91.6.2 or later — Thunderbird uses the same Gecko rendering engine and is also affected.
4. Enable automatic browser updates — configure Firefox and Thunderbird to update automatically or apply updates promptly; zero-day patches require rapid deployment.
5. Deploy browser update compliance monitoring — for enterprise environments, use endpoint management tools to verify browser versions and flag out-of-date installations.