Liu Jialei

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 97.0.2 Firefox ESR versions prior to 91.6.1 Firefox for Android versions prior to 97.3.0 Thunderbird versions prior to 91.6.2 Focus versions prior to 97.3.0 **Description** The issue is related to the use of memory after it has been freed, specifically when removing an XSLT parameter during processing, which could lead to an exploitable use-after-free. There have been reports of attacks in the wild abusing this flaw, allowing a remote attacker to potentially execute arbitrary code. **Recommendations** For Firefox versions prior to 97.0.2, update to version 97.0.2 or later. For Firefox ESR versions prior to 91.6.1, update to version 91.6.1 or later. For Firefox for Android versions prior to 97.3.0, update to version 97.3.0 or later. For Thunderbird versions prior to 91.6.2, update to version 91.6.2 or later. For Focus versions prior to 97.3.0, update to version 97.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 97.0.2 Mozilla Firefox ESR versions prior to 91.6.1 Mozilla Firefox for Android versions prior to 97.3.0 Thunderbird versions prior to 91.6.2 Focus versions prior to 97.3.0 **Description** The issue is related to a use-after-free vulnerability in the WebGPU interface, which can be exploited by a remote attacker to execute arbitrary code. There have been reports of attacks in the wild abusing this flaw. The vulnerability is associated with the WebGPU IPC framework, where an unexpected message could lead to a use-after-free and exploitable sandbox escape. **Recommendations** For Mozilla Firefox versions prior to 97.0.2, update to version 97.0.2 or later. For Mozilla Firefox ESR versions prior to 91.6.1, update to version 91.6.1 or later. For Mozilla Firefox for Android versions prior to 97.3.0, update to version 97.3.0 or later. For Thunderbird versions prior to 91.6.2, update to version 91.6.2 or later. For Focus versions prior to 97.3.0, update to version 97.3.0 or later. As a temporary workaround, consider disabling the WebGPU interface until a patch is available. Restrict access to the WebGPU IPC framework to minimize the risk of exploitation.