NetSurf Use-After-Free Vulnerability in DOM Normalization Function Allowing Arbitrary Code Execution

A use-after-free vulnerability has been identified in NetSurf version 3.11, specifically within the DOM normalization function `_dom_node_normalize`. This issue allows remote attackers to execute arbitrary code. The vulnerability arises because the function improperly manages the reference count of text nodes, leading to the potential execution of malicious code. The problem is exacerbated by the fact that external references to these nodes may still be valid, creating a window for exploitation.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the affected system.

Reproduction

The vulnerability can be reproduced by crafting a specific DOM structure that includes adjacent text nodes. When the `_dom_node_normalize` function is called on a parent node, the function will merge the text nodes and incorrectly decrease the reference count of the detached node. If this node is then accessed externally, it can lead to a use-after-free condition, allowing for arbitrary code execution.

Remediation

Users can upgrade to NetSurf versions later than 3.11 to address this vulnerability.