CVE-2023-25358: Use After Free

Reference Links

• https://bugs.webkit.org/show_bug.cgi?id=242683
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QL5OGMSHRQ26FTYWZUXVNWB2VHOSVXK/
• http://www.openwall.com/lists/oss-security/2023/04/21/3
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5OKKVEUQAAGH3NHMX3WHWKRPYU4QFKTQ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KC7DMUX37BRCLAI4VPQYHDUVEGTNYN5A/
• https://launchpad.net/bugs/cve/CVE-2023-25358
• https://webkitgtk.org/security/WSA-2023-0003.html
• https://security-tracker.debian.org/tracker/CVE-2023-25358
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25358
• https://ubuntu.com/security/notices/USN-6061-1
• https://nvd.nist.gov/vuln/detail/CVE-2023-25358
• https://ubuntu.com/security/CVE-2023-25358
• https://security.gentoo.org/glsa/202305-32

Parent vulnerabilities

(Appears in the following advisories)

• USN-6061-1

Frequently Asked Questions

• What is the vulnerability ID for this use-after-free vulnerability?

  The vulnerability ID for this use-after-free vulnerability is CVE-2023-25358.

• What is the severity of CVE-2023-25358?

  The severity of CVE-2023-25358 is not specified in the provided information.

• How does the use-after-free vulnerability in WebCore::RenderLayer::addChild allow attackers to execute code remotely?

  The use-after-free vulnerability in WebCore::RenderLayer::addChild in WebKitGTK allows attackers to execute code remotely by manipulating memory after it has been freed.

• Which versions of WebKitGTK are affected by CVE-2023-25358?

  The versions of WebKitGTK affected by CVE-2023-25358 are before 2.36.8.

• What are the recommended versions of WebKitGTK to fix CVE-2023-25358?

  The recommended versions of WebKitGTK to fix CVE-2023-25358 are 2.38.5-1~deb10u1, 2.38.5-1~deb11u1, 2.40.1-1~deb11u1, and 2.40.1-1.