A corrective release of Firefox 97.0.2 and 91.6.1 is available, fixing two vulnerabilities that have been categorized as Critical. Vulnerabilities allow you to bypass sandbox isolation and allow your code to execute with browser privileges when processing specially designed content. Both issues are said to have working exploits that are already being used to launch attacks.
Details have not yet been disclosed, it is only known that the first vulnerability (CVE-2022-26485) is associated with accessing an already freed memory area (Use-after-free) in the code for processing the XSLT parameter, and the second (CVE-2022-26486) with accessing to the already freed memory in the WebGPU IPC framework.
All users of browsers based on the Firefox engine are advised to urgently install updates. Users of Tor Browser, based on the ESR branch of Firefox 91, should be especially attentive to installing updates, since vulnerabilities can lead not only to compromise the system, but also to deanonymization of the user. An update with the elimination of the considered vulnerabilities for Tor Browser has not yet been formed.
Source: opennet.ru