Vulnerability DatabaseCVE-2023-39434

CVE-2023-39434:
Alma Linux vulnerability analysis and mitigation

Overview

A use-after-free vulnerability (CVE-2023-39434) was discovered in WebKit that affects iOS 17 and iPadOS 17, watchOS 10, and macOS Sonoma 14. The vulnerability was discovered by Francisco Alonso (@revskills) and Dohyun Lee (@l33d0hyun) of PK Security. The issue was fixed in September 2023 with the release of iOS 17, iPadOS 17, watchOS 10, and macOS Sonoma 14 (Apple Support, WebKit Advisory).

Technical details

The vulnerability is a use-after-free issue in WebKit that could be triggered when processing web content. The issue was addressed by implementing improved memory management. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

Impact

If successfully exploited, this vulnerability could lead to arbitrary code execution when processing web content. This means an attacker could potentially execute malicious code on the affected device through specially crafted web content (WebKit Advisory).

Mitigation and workarounds

Apple has addressed this vulnerability by implementing improved memory management in iOS 17, iPadOS 17, watchOS 10, and macOS Sonoma 14. Users are advised to update to these versions or later to protect against this vulnerability. For WebKitGTK and WPE WebKit users, updating to version 2.40.5 or later is recommended (Apple Support, WebKit Advisory).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

8.8

Score

Published September 27, 2023

Severity HIGH

CNA Score 8.8

Affected Technologies

Alma Linux
Alibaba Cloud Linux (Aliyun Linux)

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 70.1

Exploitation Probability (EPSS) 0.7

Affected packages and libraries

webkit2gtk
libjavascriptcoregtk-4_1-0-32bit

Sources

NVD
AlmaLinux Security Advisory
- AlmaLinux 8 Severity HIGHHas FixAdded at: Nov 28, 2023
- AlmaLinux 9 Severity HIGHHas FixAdded at: Nov 16, 2023
Debian Security Tracker
- Debian 10 Severity HIGHNo FixAdded at: Oct 02, 2023
- Debian 11, 12, 13 Severity HIGHHas FixAdded at: Oct 02, 2023
- Debian 14 Severity HIGHHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity HIGHHas FixAdded at: Nov 18, 2025
Gentoo Advisory Database
- Gentoo Severity HIGHHas FixAdded at: Feb 01, 2024
Red Hat Errata
- Red Hat 6, 7 Severity MEDIUMNo FixAdded at: Oct 02, 2023
Ubuntu Security Tracker
- Ubuntu 22.04, 23.04 Severity MEDIUMHas FixAdded at: Oct 10, 2023
- Ubuntu 23.10 Severity MEDIUMHas FixAdded at: Oct 31, 2023
- Ubuntu 24.04 Severity MEDIUMHas FixAdded at: May 06, 2024

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Alma Linux vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-66287	HIGH	8.8	Alma Linux	javascriptcoregtk6.0-debuginfo	No	Yes	Dec 04, 2025
CVE-2025-13502	HIGH	7.5	Alma Linux	webkit2gtk4.1-doc	No	Yes	Nov 25, 2025
CVE-2025-13947	HIGH	7.4	Alma Linux	webkitgtk6.0	No	Yes	Dec 03, 2025
CVE-2025-64505	MEDIUM	6.1	NixOS	java-21-openjdk-javadoc	No	Yes	Nov 25, 2025
CVE-2025-40185	N/A	N/A	Linux Kernel	kernel-debug-devel-matched	No	Yes	Nov 12, 2025