CVE-2021-21779

NameCVE-2021-21779
DescriptionA use-after-free vulnerability exists in the way Webkit’s GraphicsContext handles certain events in WebKitGTK 2.30.4. A specially crafted web page can lead to a potential information leak and further memory corruption. A victim must be tricked into visiting a malicious web page to trigger this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
webkit2gtk (PTS)stretch2.18.6-1~deb9u1vulnerable
buster, buster (security)2.32.1-1~deb10u1vulnerable
bullseye2.32.1-2vulnerable
sid2.32.2-1vulnerable
wpewebkit (PTS)bullseye2.32.1-1vulnerable
sid2.32.2-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
webkit2gtksource(unstable)(unfixed)
wpewebkitsource(unstable)(unfixed)

Notes

[bullseye] - webkit2gtk <postponed> (Fix along with next update round)
[buster] - webkit2gtk <postponed> (Fix along with next update round)
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[bullseye] - wpewebkit <postponed> (Minor issue, fix along with next update)
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1238

Search for package or bug name: Reporting problems