CVE-2021-21779: Use After Free
First published: Mon May 24 2021(Updated: )
A use-after-free vulnerability exists in the way Webkit’s GraphicsContext handles certain events in WebKitGTK 2.30.4. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability.
Credit: Marcin Towalski Cisco TalosMarcin Towalski Cisco TalosMarcin Towalski Cisco TalosMarcin Towalski Cisco TalosMarcin Towalski Cisco Talos talos-cna@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/webkit2gtk | 2.36.4-1~deb10u1 2.38.6-0+deb10u1 2.40.5-1~deb11u1 2.42.1-1~deb11u2 2.40.5-1~deb12u1 2.42.1-1~deb12u1 2.42.1-2 | |
| debian/wpewebkit | 2.38.6-1~deb11u1 2.38.6-1 2.42.1-1 | |
| WebKitGTK WebKitGTK | =2.30.4 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Debian Debian Linux | =10.0 | |
| Apple watchOS | <7.5 | 7.5 |
| Apple macOS Big Sur | <11.4 | 11.4 |
| Apple iOS | <14.6 | 14.6 |
| Apple iPadOS | <14.6 | 14.6 |
| Apple tvOS | <14.6 | 14.6 |
| Apple Safari | <14.1.1 | 14.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://support.apple.com/en-us/HT212528 (Advisory)
- https://support.apple.com/en-us/HT212529 (Advisory)
- https://support.apple.com/en-us/HT212532 (Advisory)
- https://support.apple.com/en-us/HT212533 (Advisory)
- https://support.apple.com/en-us/HT212534 (Advisory)
- http://www.openwall.com/lists/oss-security/2021/07/23/1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYMMBQN4PRVDLMIJT2LY2BWHLYBD57P3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V4QORERLPDN3UNNJFJSOMHZZCU2G75Q6/
- https://talosintelligence.com/vulnerability_reports/TALOS-2021-1238
- https://www.debian.org/security/2021/dsa-4945
- https://security-tracker.debian.org/tracker/CVE-2021-21779
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2021-30707
- CVE-2021-30685
- CVE-2021-30714
- CVE-2021-30729
- CVE-2021-30681
- CVE-2021-30686
- CVE-2021-30733
- CVE-2021-30753
- CVE-2021-30727
- CVE-2021-30724
- CVE-2021-30771
- CVE-2021-30697
- CVE-2021-30710
- CVE-2021-30687
- CVE-2021-30700
- CVE-2021-30701
- CVE-2021-30705
- CVE-2021-30706
- CVE-2021-30740
- CVE-2021-30674
- CVE-2021-30704
- CVE-2021-30715
- CVE-2021-30736
- CVE-2021-30703
- CVE-2021-30677
- CVE-2021-30741
- CVE-2021-30756
- CVE-2021-30723
- CVE-2021-30691
- CVE-2021-30692
- CVE-2021-30694
- CVE-2021-30725
- CVE-2021-30746
- CVE-2021-30693
- CVE-2021-30695
- CVE-2021-30708
- CVE-2021-30709
- CVE-2021-1821
- CVE-2021-30699
- CVE-2021-30999
- CVE-2021-30737
- CVE-2021-30744
- CVE-2021-21779
- CVE-2021-30682
- CVE-2021-30689
- CVE-2021-30749
- CVE-2021-30734
- CVE-2021-30720
- CVE-2021-23841
- CVE-2021-30698
- CVE-2021-30667
- CVE-2021-30678
- CVE-2021-30676
- CVE-2021-30688
- CVE-2021-30669
- CVE-2021-30672
- CVE-2021-30673
- CVE-2021-30755
- CVE-2021-30684
- CVE-2021-30735
- CVE-2021-30683
- CVE-2021-30719
- CVE-2021-30728
- CVE-2021-30726
- CVE-2021-30731
- CVE-2021-30739
- CVE-2021-30680
- CVE-2021-30702
- CVE-2021-30696
- CVE-2021-30679
- CVE-2020-36226
- CVE-2020-36227
- CVE-2020-36223
- CVE-2020-36224
- CVE-2020-36225
- CVE-2020-36221
- CVE-2020-36228
- CVE-2020-36222
- CVE-2020-36230
- CVE-2020-36229
- CVE-2021-30738
- CVE-2021-30751
- CVE-2021-30716
- CVE-2021-30717
- CVE-2021-30721
- CVE-2021-30722
- CVE-2021-30712
- CVE-2021-30668
- CVE-2021-30718
- CVE-2021-30671
- CVE-2021-30713
- CVE-2021-30665
- CVE-2021-30663
Frequently Asked Questions
What is CVE-2021-21779?
CVE-2021-21779 is a vulnerability in WebKit that allows for a use after free issue due to a memory management flaw.
What software is affected by CVE-2021-21779?
CVE-2021-21779 affects Apple tvOS versions up to and exclusive of 14.6, Apple watchOS versions up to and exclusive of 7.5, Apple Safari versions up to and exclusive of 14.1.1, Apple macOS Big Sur versions up to and exclusive of 11.4, Apple iOS versions up to and exclusive of 14.6, and Apple iPadOS versions up to and exclusive of 14.6.
How can the use after free issue in CVE-2021-21779 be fixed?
To fix the use after free issue in CVE-2021-21779, update to the latest version of the affected software.
Where can I find more information about CVE-2021-21779?
More information about CVE-2021-21779 can be found on the Apple support website at the following links: [link1], [link2], [link3].
What is CWE-416?
CWE-416 is a common weakness enumeration reference for use after free vulnerabilities.
- collector/apple-support
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/security-tracker-debian
- vendor/apple
- canonical/apple ios
- canonical/apple ipados
- canonical/apple macos big sur
- canonical/apple tvos
- canonical/apple watchos
- canonical/apple safari
- vendor/webkitgtk
- canonical/webkitgtk webkitgtk
- version/webkitgtk webkitgtk/2.30.4
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- package-manager/debian