CVE-2020-10018: 
NixOS vulnerability analysis and mitigation

CVE-2020-10018 affects WebKitGTK through version 2.26.4 and WPE WebKit through version 2.26.4 (versions before 2.28.0). The vulnerability was discovered by Sudhakar Verma, Ashfaq Ansari & Siddhant Badhe from Project Srishti of CloudFuzz and was disclosed on March 12, 2020. This security issue impacts the web content engine libraries used in GTK-based applications (WebKit Advisory, NVD).

The vulnerability is a memory corruption issue, specifically a use-after-free condition, that occurs in the WebKit engine. The issue has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability was addressed in version 2.28.0 with improved memory handling (NVD, WebKit Advisory).

Processing maliciously crafted web content may lead to arbitrary code execution. The vulnerability affects multiple Linux distributions including Ubuntu, Debian, Fedora, and openSUSE (Ubuntu Advisory, Debian Advisory, Gentoo Advisory).

The vulnerability was fixed in WebKitGTK and WPE WebKit version 2.28.0. Users are recommended to upgrade to this version or later. After system updates, any applications using WebKitGTK+ need to be restarted to apply the security fixes (Ubuntu Advisory, WebKit Advisory).