REDHAT-BUG-2416300: High severity WebKit WebKitGTK vulnerability
Out-of-bounds read and integer underflow vulnerability in the GLib remote inspector server of WebKitGTK and WPE WebKit. The WTF::SocketConnection::readMessage() function uses strlen() over framed, peer-controlled data without constraining the scan to the declared bodySize. If a crafted payload omits a NUL terminator within that body, the function reads beyond the frame boundary, causing an out-of-bounds read and UIProcess crash (DoS). In addition, the computed messageNameLength is not validated against bodySize before calculating parametersSize = bodySize - messageNameLength, risking integer underflow. A remote, unauthenticated client can trigger this condition whenever the remote inspector server is enabled and reachable, but the feature is primarily intended for debugging and is disabled by default, which limits practical exposure.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2416300?
The severity of REDHAT-BUG-2416300 is considered to be high due to the potential for out-of-bounds reads and integer underflows.
How does REDHAT-BUG-2416300 impact WebKitGTK and WPE WebKit?
REDHAT-BUG-2416300 can lead to vulnerabilities that potentially allow an attacker to execute arbitrary code or crash the application.
How do I fix REDHAT-BUG-2416300?
To fix REDHAT-BUG-2416300, update your WebKitGTK and WPE WebKit installations to the latest version provided by your vendor.
What versions of WebKitGTK and WPE WebKit are affected by REDHAT-BUG-2416300?
REDHAT-BUG-2416300 affects all versions of WebKitGTK and WPE WebKit that contain the vulnerable code in the WTF::SocketConnection::readMessage() function.
What is the nature of the vulnerability in REDHAT-BUG-2416300?
The nature of the vulnerability in REDHAT-BUG-2416300 is an out-of-bounds read and integer underflow caused by improper handling of peer-controlled data.