CVE-2021-21779
published 2021-07-08CVE-2021-21779: A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handles certain events in WebKitGTK 2.30.4. A specially crafted web page can lead to…
PriorityP346high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
2.91%
85.3th percentile
A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handles certain events in WebKitGTK 2.30.4. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_big_sur | — | — |
| apple | safari | — | — |
| apple | tvos | — | — |
| apple | watchos | — | — |
| debian | debian_linux | — | — |
| debian | webkit2gtk | < webkit2gtk 2.32.3-1 (bookworm) | webkit2gtk 2.32.3-1 (bookworm) |
| debian | wpewebkit | < webkit2gtk 2.32.3-1 (bookworm) | webkit2gtk 2.32.3-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| webkitgtk | webkitgtk | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.06.8MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
WebKitGTK vulnerabilities
vendor_ubuntu·2021-07-28
CVE-2021-30797 WebKitGTK vulnerabilities
Title: WebKitGTK vulnerabilities
Summary: Several security issues were fixed in WebKitGTK.
A large number of security issues were discovered in the WebKitGTK Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
Instructions: This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK, such as Epiphany, to make all the necessary changes.
Red Hat
webkitgtk: Use-after-free in WebCore::GraphicsContext leading to information leak and possibly code execution
vendor_redhat·2021-07-28·CVSS 8.8
CVE-2021-21779 [HIGH] CWE-416 webkitgtk: Use-after-free in WebCore::GraphicsContext leading to information leak and possibly code execution
webkitgtk: Use-after-free in WebCore::GraphicsContext leading to information leak and possibly code execution
A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handles certain events in WebKitGTK 2.30.4. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability.
Package: webkitgtk (Red Hat Enterprise Linux 6) - Out of support scope
Package: webkitgtk3 (Red Hat Enterprise Linux 7) - Out of support scope
Package: webkit2gtk3 (Red Hat Enterprise Linux 9) - Not affected
Apple
CVE-2021-21779: macOS Big Sur 11.4
vendor_apple·2021-05-24·CVSS 8.8
CVE-2021-21779 [HIGH] CVE-2021-21779: macOS Big Sur 11.4
Apple Security Update: About the security content of macOS Big Sur 11.4
Product: macOS Big Sur
Version: 11.4
CVE: CVE-2021-21779
Component: WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
Apple
CVE-2021-21779: Safari 14.1.1
vendor_apple·2021-05-24·CVSS 8.8
CVE-2021-21779 [HIGH] CVE-2021-21779: Safari 14.1.1
Apple Security Update: About the security content of Safari 14.1.1
Product: Safari
Version: 14.1.1
CVE: CVE-2021-21779
Component: WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
Apple
CVE-2021-21779: watchOS 7.5
vendor_apple·2021-05-24·CVSS 8.8
CVE-2021-21779 [HIGH] CVE-2021-21779: watchOS 7.5
Apple Security Update: About the security content of watchOS 7.5
Product: watchOS
Version: 7.5
CVE: CVE-2021-21779
Component: WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
Apple
CVE-2021-21779: tvOS 14.6
vendor_apple·2021-05-24·CVSS 8.8
CVE-2021-21779 [HIGH] CVE-2021-21779: tvOS 14.6
Apple Security Update: About the security content of tvOS 14.6
Product: tvOS
Version: 14.6
CVE: CVE-2021-21779
Component: WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
Debian
CVE-2021-21779: webkit2gtk - A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handle...
vendor_debian·2021·CVSS 8.8
CVE-2021-21779 [HIGH] CVE-2021-21779: webkit2gtk - A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handle...
A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handles certain events in WebKitGTK 2.30.4. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability.
Scope: local
bookworm: resolved (fixed in 2.32.3-1)
bullseye: resolved (fixed in 2.32.3-1)
forky: resolved (fixed in 2.32.3-1)
sid: resolved (fixed in 2.32.3-1)
trixie: resolved (fixed in 2.32.3-1)
GHSA
GHSA-fvf7-58x3-4492: A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handles certain events in WebKitGTK 2
ghsa_unreviewed·2022-05-24
CVE-2021-21779 [HIGH] CWE-416 GHSA-fvf7-58x3-4492: A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handles certain events in WebKitGTK 2
A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handles certain events in WebKitGTK 2.30.4. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability.
OSV
CVE-2021-21779: A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handles certain events in WebKitGTK 2
osv·2021-07-08·CVSS 8.8
CVE-2021-21779 [HIGH] CVE-2021-21779: A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handles certain events in WebKitGTK 2
A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handles certain events in WebKitGTK 2.30.4. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability.
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: Use-after-free vulnerability in WebKit
blogs_talos·2021-06-02·CVSS 8.8
[HIGH] Vulnerability Spotlight: Use-after-free vulnerability in WebKit
Marcin Towalski of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
The WebKit browser engine contains a use-after-free vulnerability in its GraphicsContext function. A malicious web page code could trigger a use-after-free error, which could lead to a potential information leak and memory corruption. An attacker could exploit this vulnerability by tricking the user into visiting a specially crafted, malicious web page to trigger this vulnerability.
In accordance with our coordinated disclosure policy, Cisco Talos worked with WebKit to ensure that this issue is resolved and that an update is available for affected customers.
## Vulnerability details
Webkit WebCore::GraphicsContext use-after-free vulnerability (TALOS-2021-1238/CVE-2021-21779)
A use-after-free vulnerab
Talos
Vulnerability Spotlight: Use-after-free vulnerability in WebKit
blogs_talos·2021-06-02·CVSS 8.8
[HIGH] Vulnerability Spotlight: Use-after-free vulnerability in WebKit
## Vulnerability Spotlight: Use-after-free vulnerability in WebKit
Marcin Towalski of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
The WebKit browser engine contains a use-after-free vulnerability in its GraphicsContext function. A malicious web page code could trigger a use-after-free error, which could lead to a potential information leak and memory corruption. An attacker could exploit this vulnerability by tricking the user into visiting a specially crafted, malicious web page to trigger this vulnerability.
In accordance with our coordinated disclosure policy, Cisco Talos worked with WebKit to ensure that this issue is resolved and that an update is available for affected customers.
## Vulnerability details
Webkit WebCore::GraphicsContext use-after-free vulne
http://www.openwall.com/lists/oss-security/2021/07/23/1https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYMMBQN4PRVDLMIJT2LY2BWHLYBD57P3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V4QORERLPDN3UNNJFJSOMHZZCU2G75Q6/https://talosintelligence.com/vulnerability_reports/TALOS-2021-1238https://www.debian.org/security/2021/dsa-4945http://www.openwall.com/lists/oss-security/2021/07/23/1https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYMMBQN4PRVDLMIJT2LY2BWHLYBD57P3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V4QORERLPDN3UNNJFJSOMHZZCU2G75Q6/https://talosintelligence.com/vulnerability_reports/TALOS-2021-1238https://www.debian.org/security/2021/dsa-4945
2021-07-08
Published