CVE-2021-21775: 
NixOS vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in Webkit WebKitGTK 2.30.4, identified as CVE-2021-21775. The vulnerability exists in the way certain events are processed for ImageLoader objects. The issue was discovered by Marcin Towalski of Cisco Talos and was publicly disclosed on June 2, 2021. The vulnerability affects WebKitGTK and WPE WebKit versions before 2.32.3 (Talos Report, OSS Security).

The vulnerability is classified as a use-after-free (CWE-416) issue that occurs when WebKit engine tries to access a stale reference to an object that has already been freed and the corresponding memory is allocated for a different one. The stale reference is retained during event handler execution because of the srcset attribute which initially tries to load the image from the wrong path. The vulnerability has a CVSS v3.0 score of 6.8 (MEDIUM) with vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L (Talos Report).

If successfully exploited, this vulnerability can lead to potential information leaks and memory corruption. With proper memory layout control and heap grooming, an attacker could potentially take control of the erroneous object reuse, which could result in information disclosure and possibly further memory corruption (Talos Report).

The vulnerability was patched in WebKitGTK and WPE WebKit version 2.32.3. Users are recommended to upgrade to this version or later. The fix was distributed through various Linux distributions including Debian (version 2.32.3-1~deb10u1) and Fedora (version 2.32.3-1.fc33/34) (Debian Advisory, Fedora Update).