WebKitGTK Security Advisory: High Risk of Arbitrary Code Execution

Several high-severity vulnerabilities have been found in the WebKitGTK web engine, including a use after free issue that may have been actively exploited (CVE-2023-28205).

These bugs could result in the exposure of sensitive information and the execution of arbitrary code.

The following vulnerabilities have been discovered in WebKitGTK:

• CVE-2022-0108: Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information.
• CVE-2022-32885: P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution.
• CVE-2023-27932: An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy.
• CVE-2023-27954: An anonymous researcher discovered that a website may be able to track sensitive user information.
• CVE-2023-28205: Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. 

With a low attack complexity, no privileges required to exploit, and a high confidentiality, integrity and availability impact, we strongly recommend that all impacted users apply the WebKitGTK updates issued but their distro(s) now to protect against attacks leading to downtime and the compromise of confidential information.