CVE-2022-26485: 
NixOS vulnerability analysis and mitigation

CVE-2022-26485 is a critical use-after-free vulnerability in Mozilla Firefox's XSLT parameter processing component, discovered by researchers Wang Gang, Liu Jialei, Du Sihang, Huang Yi & Yang Kang of 360 ATA. The vulnerability was disclosed on March 5, 2022, and affects multiple Mozilla products including Firefox versions before 97.0.2, Firefox ESR before 91.6.1, Firefox for Android before 97.3.0, Thunderbird before 91.6.2, and Focus before 97.3.0 (Mozilla Advisory).

The vulnerability occurs when removing an XSLT parameter during processing, which could lead to an exploitable use-after-free condition. The issue is specifically located in the txMozillaXSLTProcessor.cpp file at line 1361 in the txVariable::Convert function. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating it can be exploited remotely with low attack complexity (NVD).

The vulnerability allows attackers to potentially execute arbitrary code on affected systems through a use-after-free condition. This is particularly severe as Mozilla confirmed that there have been reports of attacks exploiting this vulnerability in the wild (Mozilla Advisory).

Mozilla has released patches for all affected products. Users should update to Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Thunderbird 91.6.2, or Focus 97.3.0, depending on their product. The fix involves converting parameters upfront during XSLT processing to prevent the use-after-free condition (Mozilla Advisory).