CVE-2022-28282

MEDIUM

Mozilla Firefox < 99.0 - Use After Free

Title source: rule

Description

By using a link with <code>rel="localization"</code> a use-after-free could have been triggered by destroying an object during JavaScript execution and then referencing the object through a freed pointer, leading to a potential exploitable crash. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.

Exploits (3)

nomisec WORKING POC

by bb33bb · poc

https://github.com/bb33bb/CVE-2022-28282-firefox

View Code ZIP pw:eip

inthewild

poc

https://github.com/pwnrin/cve-2022-28282

View on inthewild

inthewild

poc

https://github.com/magicpwnrin/cve-2022-28282

View on inthewild

References (4)

[Exploit, Issue Tracking, Vendor Advisory] https://bugzilla.mozilla.org/show_bug.cgi?id=1751609

[Exploit, Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2022-13/

[Exploit, Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2022-14/

[Exploit, Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2022-15/

Scores

CVSS v3 6.5

EPSS 0.0560

EPSS Percentile 90.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE

CWE-416

Status published

Products (3)

mozilla/firefox < 99.0

mozilla/firefox_esr < 91.8

mozilla/thunderbird < 91.8

Published Dec 22, 2022

Tracked Since Feb 18, 2026