NetSurf Use-After-Free Vulnerability in DOM Node Text Content Handling

A use-after-free vulnerability has been identified in NetSurf version 3.11, specifically within the DOM handling library, libdom, prior to a certain commit. The issue arises in the '_dom_node_set_text_content' function, which manages the 'Node.textContent' property. This function removes child nodes and replaces them with a text node, decrementing the reference count of each removed child. If a mutation event triggered by this process is handled in a way that modifies the text content again, it can lead to a child node being accessed after it has been freed, creating a use-after-free condition.

Impact

Exploitation of this vulnerability can lead to memory corruption issues, commonly associated with use-after-free vulnerabilities, where a program continues to use a pointer after the memory it points to has been freed, potentially allowing for arbitrary code execution or causing a crash.

Reproduction

The vulnerability can be reproduced by setting the 'textContent' property of a DOM node that has child nodes, while a mutation event handler is active that also modifies the 'textContent' of the same or a related node. This will create a nested call to '_dom_node_set_text_content', causing the reference count of the child nodes to be improperly managed and leading to a use-after-free condition.

Remediation

Users can upgrade to NetSurf versions later than 3.11, where this vulnerability has been addressed. Additionally, libdom users should apply the latest updates that include the fix.