CVE-2021-21775: Use After Free
First published: Wed Jul 07 2021(Updated: )
A use-after-free vulnerability exists in the way certain events are processed for ImageLoader objects of Webkit WebKitGTK 2.30.4. A specially crafted web page can lead to a potential information leak and further memory corruption. In order to trigger the vulnerability, a victim must be tricked into visiting a malicious webpage.
Credit: talos-cna@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WebKitGTK WebKitGTK | =2.30.4 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Debian Debian Linux | =10.0 | |
| debian/webkit2gtk | 2.36.4-1~deb10u1 2.38.6-0+deb10u1 2.40.5-1~deb11u1 2.42.1-1~deb11u2 2.40.5-1~deb12u1 2.42.1-1~deb12u1 2.42.1-2 | |
| debian/wpewebkit | 2.38.6-1~deb11u1 2.38.6-1 2.42.1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2021/07/23/1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYMMBQN4PRVDLMIJT2LY2BWHLYBD57P3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V4QORERLPDN3UNNJFJSOMHZZCU2G75Q6/
- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1229
- https://www.debian.org/security/2021/dsa-4945
- https://security-tracker.debian.org/tracker/CVE-2021-21775
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V4QORERLPDN3UNNJFJSOMHZZCU2G75Q6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYMMBQN4PRVDLMIJT2LY2BWHLYBD57P3/
Frequently Asked Questions
What is CVE-2021-21775?
CVE-2021-21775 is a use-after-free vulnerability in Webkit WebKitGTK 2.30.4 that can lead to information leakage and memory corruption.
How severe is CVE-2021-21775?
CVE-2021-21775 has a severity rating of 8, which is considered high.
How does CVE-2021-21775 affect Webkit WebKitGTK?
CVE-2021-21775 affects Webkit WebKitGTK 2.30.4 and can be exploited through a specially crafted web page.
How can CVE-2021-21775 be fixed?
To fix CVE-2021-21775, update to the following versions: 2.36.4-1~deb10u1, 2.38.6-0+deb10u1, 2.40.5-1~deb11u1, 2.42.1-1~deb11u2, 2.40.5-1~deb12u1, 2.42.1-1~deb12u1, or 2.42.1-2.
Where can I find more information about CVE-2021-21775?
You can find more information about CVE-2021-21775 at the following references: [1] Talos Intelligence, [2] Debian Security Tracker, [3] Openwall.
- collector/nvd-index
- collector/security-tracker-debian
- agent/author
- agent/severity
- agent/references
- agent/weakness
- agent/tags
- agent/description
- agent/type
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/webkitgtk
- canonical/webkitgtk webkitgtk
- version/webkitgtk webkitgtk/2.30.4
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- package-manager/debian