Bug 296276 (CVE-2025-43368)

Summary:	Crash under WTF::Detail::CallableWrapper<IPC::Connection::dispatchDidCloseAndInvalidate()::$_0, void>::call
Product:	WebKit	Reporter:	Chris Dumez <cdumez>
Component:	WebKit2	Assignee:	Chris Dumez <cdumez>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	kkinnunen, mcatanzaro, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Chris Dumez

Reported 2025-07-21 09:01:27 PDT

Crash under WTF::Detail::CallableWrapper<IPC::Connection::dispatchDidCloseAndInvalidate()::$_0, void>::call: ``` 4 WTFCrashWithInfo(int, char const*, char const*, int) (WebKit) 5 WTF::CanMakeCheckedPtrBase<std::__1::atomic<unsigned int>, unsigned int>::decrementCheckedPtrCount() const (WebKit) 5 WTF::CheckedPtr<IPC::Connection::Client, WTF::RawPtrTraits<IPC::Connection::Client>>::derefIfNotNull() (WebKit) 5 WTF::CheckedPtr<IPC::Connection::Client, WTF::RawPtrTraits<IPC::Connection::Client>>::~CheckedPtr() (WebKit) 5 WTF::CheckedPtr<IPC::Connection::Client, WTF::RawPtrTraits<IPC::Connection::Client>>::~CheckedPtr() (WebKit) 5 IPC::Connection::dispatchDidCloseAndInvalidate()::$_0::operator()() const (WebKit) ==> 8 WTF::Detail::CallableWrapper<IPC::Connection::dispatchDidCloseAndInvalidate()::$_0, void>::call() (WebKit) <== 5 WTF::Function<void ()>::operator()() const (JavaScriptCore) | 5 WTF::RunLoop::performWork() (JavaScriptCore) | 5 WTF::RunLoop::performWork(void*) (JavaScriptCore) ```

Attachments
Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2025-07-21 09:01:36 PDT

<rdar://156192754>

Chris Dumez

Comment 2 2025-07-21 09:05:40 PDT

Pull request: https://github.com/WebKit/WebKit/pull/48326

EWS

Comment 3 2025-07-21 12:27:13 PDT

Committed 297696@main (674611789255): <https://commits.webkit.org/297696@main> Reviewed commits have been landed. Closing PR #48326 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.