Webkitgtk

Apple iOS/PiOS PointerAuth Bypass via Arbitrary RW (pre-17.5)
CVE-2024-27834 8.1 - High - May 14, 2024

The issue was addressed with improved checks. This issue is fixed in iOS 17.5 and iPadOS 17.5, tvOS 17.5, Safari 17.5, watchOS 10.5, macOS Sonoma 14.5. An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication.

Insecure Inherited Permissions

Apple OS Sandbox Escape CVE-2024-23246 (pre macOS 14.4, iOS 17.4)
CVE-2024-23246 8.1 - High - March 08, 2024

This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. An app may be able to break out of its sandbox.

Improper Input Validation

CVE-2024-23263 Safari CSP Bypass Improper Validation (17.4)
CVE-2024-23263 8.1 - High - March 08, 2024

A logic issue was addressed with improved validation. This issue is fixed in tvOS 17.4, macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, Safari 17.4. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.

Improper Input Validation

Apple Safari Content Security Policy bypass, fixed in 17.4
CVE-2024-23284 6.5 - Medium - March 08, 2024

A logic issue was addressed with improved state management. This issue is fixed in tvOS 17.4, macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, Safari 17.4. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.

Protection Mechanism Failure

Safari Injection Fingerprinting Issue Fixed in v17.4
CVE-2024-23280 7.5 - High - March 08, 2024

An injection issue was addressed with improved validation. This issue is fixed in Safari 17.4, macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4, watchOS 10.4, tvOS 17.4. A maliciously crafted webpage may be able to fingerprint the user.

Cross-Orig Audio Data Exfiltration via Safari UI Handling (before 17.4)
CVE-2024-23254 6.5 - Medium - March 08, 2024

The issue was addressed with improved UI handling. This issue is fixed in tvOS 17.4, macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, Safari 17.4. A malicious website may exfiltrate audio data cross-origin.

Safari address bar spoofing via UI state laxity (CVE-2023-42843)
CVE-2023-42843 4.3 - Medium - February 21, 2024

An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1, Safari 17.1, macOS Sonoma 14.1. Visiting a malicious website may lead to address bar spoofing.

Authentication Bypass by Spoofing

Apple iOS/iPadOS Safari OOB read (<16.7.1) fixed 17.1.2
CVE-2023-42916 6.5 - Medium - November 30, 2023

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

Out-of-bounds Read

Code Exec via WebKit Mem Corrupt before iOS 16.7.1, fixed Safari 17.1.2
CVE-2023-42917 8.8 - High - November 30, 2023

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

Memory Corruption

Use-After-Free in WebKitGTK MediaRecorder API 2.40.5
CVE-2023-39928 8.8 - High - October 06, 2023

A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability.

Dangling pointer

macOS Sonoma 14 Fixed Web Content Arbitrary Code Exec (CVE-2023-41993)
CVE-2023-41993 8.8 - High - September 21, 2023

The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Improper Check for Unusual or Exceptional Conditions

macOS Ventura 13.x Remote JS Execution CVE-2023-40397 (WebKit)
CVE-2023-40397 9.8 - Critical - September 06, 2023

The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.5. A remote attacker may be able to cause arbitrary javascript code execution.

macOS Ventura CSP Wildcard Validation Failure (Fixed 13.3)
CVE-2023-32370 5.3 - Medium - September 06, 2023

A logic issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.3. Content Security Policy to block domains with wildcards may fail.

Apple WebKit AAF bug fixed in iOS 16.4/iPadOS16.4/macOS 13.3
CVE-2023-28198 8.8 - High - August 14, 2023

A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 16.4 and iPadOS 16.4, macOS Ventura 13.3. Processing web content may lead to arbitrary code execution.

Dangling pointer

Apple Safari & OS Web Content Arbitrary Code Exec: fixed in v16.6 / 16.5.2
CVE-2023-37450 8.8 - High - July 27, 2023

The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, Safari 16.5.2, tvOS 16.6, macOS Ventura 13.5, watchOS 9.6. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Safari Type Confusion CVE-2023-32439 fixed in iOS 16.5.1 & macOS 13.4.1
CVE-2023-32439 8.8 - High - June 23, 2023

A type confusion issue was addressed with improved checks. This issue is fixed in iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, macOS Ventura 13.4.1, Safari 16.5.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Object Type Confusion

Apple iOS/macOS Safari OOB Read (fixed in OS 16.5/13.4, Safari 16.5)
CVE-2023-28204 6.5 - Medium - June 23, 2023

An out-of-bounds read was addressed with improved input validation. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, Safari 16.5, iOS 16.5 and iPadOS 16.5. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.

Out-of-bounds Read

Apple Safari UAF leads to arbitrary code exec (before 16.5)
CVE-2023-32373 8.8 - High - June 23, 2023

A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, Safari 16.5, iOS 16.5 and iPadOS 16.5. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Dangling pointer

WebKit Arbitrary Code Execution via Malicious Content
CVE-2019-8720 8.8 - High - March 06, 2023

A vulnerability was found in WebKit. The flaw is triggered when processing maliciously crafted web content that may lead to arbitrary code execution. Improved memory handling addresses the multiple memory corruption issues.

Buffer Overflow

Remote Code Execution via UAF in WebKitGTK <2.36.8 RenderLayer
CVE-2023-25361 8.8 - High - March 02, 2023

A use-after-free vulnerability in WebCore::RenderLayer::setNextSibling in WebKitGTK before 2.36.8 allows attackers to execute code remotely.

Dangling pointer

Use-After-Free in WebKitGTK <2.36.8 RenderLayer repaintBlockSelectionGaps
CVE-2023-25362 8.8 - High - March 02, 2023

A use-after-free vulnerability in WebCore::RenderLayer::repaintBlockSelectionGaps in WebKitGTK before 2.36.8 allows attackers to execute code remotely.

Dangling pointer

WebKitGTK <2.36.8 UAF via RenderLayer: RCE
CVE-2023-25363 8.8 - High - March 02, 2023

A use-after-free vulnerability in WebCore::RenderLayer::updateDescendantDependentFlags in WebKitGTK before 2.36.8 allows attackers to execute code remotely.

Dangling pointer

WebKitGTK 2.36.8 UAF in WebCore::RenderLayer::addChild (CVE-2023-25358)
CVE-2023-25358 8.8 - High - March 02, 2023

A use-after-free vulnerability in WebCore::RenderLayer::addChild in WebKitGTK before 2.36.8 allows attackers to execute code remotely.

Dangling pointer

Use-After-Free in WebKitGTK RenderLayer::renderer before 2.36.8
CVE-2023-25360 8.8 - High - March 02, 2023

A use-after-free vulnerability in WebCore::RenderLayer::renderer in WebKitGTK before 2.36.8 allows attackers to execute code remotely.

Dangling pointer

Apple Safari Use-After-Free CVE-2022-42826 Fixed in Safari 16.1
CVE-2022-42826 8.8 - High - February 27, 2023

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13, iOS 16.1 and iPadOS 16, Safari 16.1. Processing maliciously crafted web content may lead to arbitrary code execution.

Dangling pointer

OWB Write in Safari WebKit <15.6.1: Arbitrary Code Exec
CVE-2022-32893 8.8 - High - August 24, 2022

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1, Safari 15.6.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Memory Corruption

Chrome WebRTC Heap Overflow <103.0.5060.114
CVE-2022-2294 8.8 - High - July 28, 2022

Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Memory Corruption

In WebKitGTK through 2.36.0 (and WPE WebKit)
CVE-2022-30293 7.5 - High - May 06, 2022

In WebKitGTK through 2.36.0 (and WPE WebKit), there is a heap-based buffer overflow in WebCore::TextureMapperLayer::setContentsLayer in WebCore/platform/graphics/texmap/TextureMapperLayer.cpp.

Memory Corruption

A use after free issue was addressed with improved memory management
CVE-2022-22590 8.8 - High - March 18, 2022

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. Processing maliciously crafted web content may lead to arbitrary code execution.

Dangling pointer

In WebKitGTK before 2.32.4
CVE-2021-45482 6.5 - Medium - December 25, 2021

In WebKitGTK before 2.32.4, there is a use-after-free in WebCore::ContainerNode::firstChild, a different vulnerability than CVE-2021-30889.

Dangling pointer

In WebKitGTK before 2.32.4
CVE-2021-45483 6.5 - Medium - December 25, 2021

In WebKitGTK before 2.32.4, there is a use-after-free in WebCore::Frame::page, a different vulnerability than CVE-2021-30889.

Dangling pointer

In WebKitGTK before 2.32.4
CVE-2021-45481 6.5 - Medium - December 25, 2021

In WebKitGTK before 2.32.4, there is incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create, leading to a segmentation violation and application crash, a different vulnerability than CVE-2021-30889.

Memory Leak

BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass
CVE-2021-42762 5.3 - Medium - October 20, 2021

BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.

A use-after-free vulnerability exists in the way Webkits GraphicsContext handles certain events in WebKitGTK 2.30.4
CVE-2021-21779 8.8 - High - July 08, 2021

A use-after-free vulnerability exists in the way Webkits GraphicsContext handles certain events in WebKitGTK 2.30.4. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability.

Dangling pointer

An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.3 x64
CVE-2021-21806 8.8 - High - July 08, 2021

An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.3 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in remote code execution. The victim needs to visit a malicious web site to trigger the vulnerability.

Dangling pointer

A use-after-free vulnerability exists in the way certain events are processed for ImageLoader objects of Webkit WebKitGTK 2.30.4
CVE-2021-21775 8 - High - July 07, 2021

A use-after-free vulnerability exists in the way certain events are processed for ImageLoader objects of Webkit WebKitGTK 2.30.4. A specially crafted web page can lead to a potential information leak and further memory corruption. In order to trigger the vulnerability, a victim must be tricked into visiting a malicious webpage.

Dangling pointer

This issue was addressed with improved iframe sandbox enforcement
CVE-2021-1801 - April 02, 2021

This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. Maliciously crafted web content may violate iframe sandboxing policy.

A port redirection issue was addressed with additional port validation
CVE-2021-1799 - April 02, 2021

A port redirection issue was addressed with additional port validation. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, tvOS 14.4, watchOS 7.3, iOS 14.4 and iPadOS 14.4, Safari 14.0.3. A malicious website may be able to access restricted ports on arbitrary servers.

A logic issue was addressed with improved restrictions
CVE-2021-1870 9.8 - Critical - April 02, 2021

A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, iOS 14.4 and iPadOS 14.4. A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..

A type confusion issue was addressed with improved state handling
CVE-2021-1789 8.8 - High - April 02, 2021

A type confusion issue was addressed with improved state handling. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, tvOS 14.4, watchOS 7.3, iOS 14.4 and iPadOS 14.4, Safari 14.0.3. Processing maliciously crafted web content may lead to arbitrary code execution.

Object Type Confusion

"Clear History and Website Data" did not clear the history
CVE-2020-29623 3.3 - Low - April 02, 2021

"Clear History and Website Data" did not clear the history. The issue was addressed with improved data deletion. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave, iOS 14.3 and iPadOS 14.3, tvOS 14.3. A user may be unable to fully delete browsing history.

This issue was addressed with improved iframe sandbox enforcement
CVE-2021-1765 - April 02, 2021

This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave. Maliciously crafted web content may violate iframe sandboxing policy.

A code execution vulnerability exists in the AudioSourceProviderGStreamer functionality of Webkit WebKitGTK 2.30.1
CVE-2020-13558 8.8 - High - March 03, 2021

A code execution vulnerability exists in the AudioSourceProviderGStreamer functionality of Webkit WebKitGTK 2.30.1. A specially crafted web page can lead to a use after free.

Dangling pointer

A use after free issue was addressed with improved memory management
CVE-2020-27918 7.8 - High - December 08, 2020

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.1, iOS 14.2 and iPadOS 14.2, iCloud for Windows 11.5, Safari 14.0.1, tvOS 14.2, iTunes 12.11 for Windows. Processing maliciously crafted web content may lead to arbitrary code execution.

Dangling pointer

A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0
CVE-2020-13543 8.8 - High - December 03, 2020

A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerability.

Dangling pointer

An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.1 x64
CVE-2020-13584 8.8 - High - December 03, 2020

An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.1 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in a remote code execution. The victim needs to visit a malicious web site to trigger this vulnerability.

Dangling pointer

The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl
CVE-2020-13753 10 - Critical - July 14, 2020

The bubblewrap sandbox of WebKitGTK and WPE WebKit, prior to 2.28.3, failed to properly block access to CLONE_NEWUSER and the TIOCSTI ioctl. CLONE_NEWUSER could potentially be used to confuse xdg-desktop-portal, which allows access outside the sandbox. TIOCSTI can be used to directly execute commands outside the sandbox by writing to the controlling terminal's input buffer, similar to CVE-2017-5226.

Improper Input Validation

A use-after-free issue exists in WebKitGTK before 2.28.1 and WPE WebKit before 2.28.1 via crafted web content
CVE-2020-11793 - April 17, 2020

A use-after-free issue exists in WebKitGTK before 2.28.1 and WPE WebKit before 2.28.1 via crafted web content that allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash).

WebKitGTK through 2.26.4 and WPE WebKit through 2.26.4 (which are the versions right before 2.28.0) contains a memory corruption issue (use-after-free)
CVE-2020-10018 9.8 - Critical - March 02, 2020

WebKitGTK through 2.26.4 and WPE WebKit through 2.26.4 (which are the versions right before 2.28.0) contains a memory corruption issue (use-after-free) that may lead to arbitrary code execution. This issue has been fixed in 2.28.0 with improved memory handling.

Dangling pointer

A logic issue was addressed with improved state management
CVE-2020-3867 6.1 - Medium - February 27, 2020

A logic issue was addressed with improved state management. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted web content may lead to universal cross site scripting.

XSS