CVE-2010-0048
Description
Use-after-free in WebKit in Safari before 4.0.5 allows remote code execution via crafted XML document.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in WebKit in Safari before 4.0.5 allows remote code execution via crafted XML document.
Vulnerability
A use-after-free vulnerability exists in WebKit, the rendering engine used by Apple Safari, in versions prior to 4.0.5. The bug is triggered when processing a crafted XML document, leading to a use-after-free condition. This affects Safari on Mac and Windows, and also impacts iOS devices running versions prior to iOS 4 [1][2]. The vulnerability is present in the WebKit component and can be exploited without any special configuration beyond visiting a malicious website.
Exploitation
An attacker can exploit this vulnerability by hosting a specially crafted XML document on a website and luring a user to visit that page. No additional authentication or network position is required beyond standard web access. The user interaction is limited to simply loading the malicious page. The use-after-free occurs during parsing of the XML, allowing the attacker to control the freed memory and potentially execute arbitrary code.
Impact
Successful exploitation allows a remote attacker to execute arbitrary code on the victim's system with the privileges of the user running Safari. This can lead to full compromise of the affected system, including data theft, installation of malware, or further network propagation. Alternatively, the vulnerability can cause a denial of service via application crash.
Mitigation
Apple addressed this vulnerability in Safari 4.0.5 [2] and in iOS 4 [1]. Users should update to the latest versions of Safari or iOS. For Linux systems using WebKit, Ubuntu released updates as part of USN-1006-1 [3]. No workarounds are documented; the only mitigation is to apply the available patches.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: <=4.0.4
- cpe:2.3:a:apple:safari:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apple:safari:4.0:beta:*:*:*:*:*:*
- (no CPE)range: <4.0.5
- Range: <4.0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
18- lists.apple.com/archives/security-announce/2010/Mar/msg00000.htmlnvdVendor Advisory
- support.apple.com/kb/HT4070nvdVendor Advisory
- lists.apple.com/archives/security-announce/2010/Jun/msg00003.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2010-May/041383.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2010-May/041432.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2010-May/041436.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlnvd
- secunia.com/advisories/41856nvd
- secunia.com/advisories/43068nvd
- support.apple.com/kb/HT4225nvd
- www.mandriva.com/security/advisoriesnvd
- www.securityfocus.com/bid/38671nvd
- www.securitytracker.com/idnvd
- www.ubuntu.com/usn/USN-1006-1nvd
- www.vupen.com/english/advisories/2010/2722nvd
- www.vupen.com/english/advisories/2011/0212nvd
- www.vupen.com/english/advisories/2011/0552nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7135nvd
News mentions
0No linked articles in our index yet.