cbcvebase.
CVE-2018-11646
published 2018-06-01

CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in…

PriorityP263high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
69.02%
99.3th percentile
webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianwebkit2gtk< webkit2gtk 2.20.3-1 (bookworm)webkit2gtk 2.20.3-1 (bookworm)
webkitgtkwebkitgtk<= 2.21.3

Detection & IOCsextracted from sources · hover to see the quote

pathUIProcess/API/glib/WebKitFaviconDatabase.cpp
  • Crash is triggered by navigating a window to a new URL after stopping document load, causing webkitFaviconDatabaseSetIconForPageURL to be called with an unset pageURL. Monitor for rapid window.open() calls followed by execCommand('stop') and document.write() in the same script context.
  • Crash backtrace originates at webkitFaviconDatabaseSetIconURLForPageURL (WebKitFaviconDatabase.cpp line 193) and webkitFaviconDatabaseSetIconForPageURL (line 318); process crash/SIGSEGV in a WebKitGTK+ process touching these functions is a strong indicator of exploitation.
  • The Metasploit auxiliary module (EDB-44876) serves the exploit payload over HTTP; look for HTTP servers delivering JavaScript containing the window.open / execCommand('stop') / document.write pattern to WebKitGTK+ user-agents.
  • ·Vulnerability only affects WebKitGTK+ through version 2.21.3; fixed in Debian packages at version 2.20.3-1. Detections should be scoped to unpatched WebKitGTK+ deployments.
  • ·This is a DoS-only vulnerability (application crash); there is no known code-execution primitive. Scope detection efforts to availability impact rather than confidentiality/integrity.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.