Skip to main content

CVE-2023-26226: CWE-416 Use After Free in Yandex Browser

High
VulnerabilityCVE-2023-26226cvecve-2023-26226cwe-416
Published: Fri May 30 2025 (05/30/2025, 17:23:54 UTC)
Source: CVE Database V5
Vendor/Project: Yandex
Product: Browser

Description

A use after free memory corruption issue exists in Yandex Browser for Desktop prior to version 24.4.0.682

AI-Powered Analysis

AILast updated: 07/08/2025, 14:41:05 UTC

Technical Analysis

CVE-2023-26226 is a high-severity use-after-free (CWE-416) vulnerability identified in Yandex Browser for Desktop versions prior to 24.4.0.682. A use-after-free vulnerability occurs when a program continues to use a pointer after the memory it points to has been freed, leading to memory corruption. In this case, the vulnerability allows remote attackers to potentially execute arbitrary code or cause a denial of service by exploiting the memory corruption. The CVSS 4.0 base score is 7.4, indicating a high severity level. The vector string (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:L/VA:H/SC:H/SI:H/SA:H) reveals that the attack vector is network-based (AV:N), but requires high attack complexity (AC:H), partial attack prerequisites (AT:P), no privileges (PR:N), and user interaction (UI:P). The vulnerability impacts the confidentiality, integrity, and availability of the system with high impact on confidentiality and availability, and low impact on integrity. The scope is changed (S: H), meaning the vulnerability affects components beyond the vulnerable component itself. The vulnerability is not known to be exploited in the wild at the time of publication. No official patch links are provided in the data, but the fixed version is 24.4.0.682 or later. Exploitation requires user interaction, such as visiting a malicious website or opening a crafted link, which is typical for browser vulnerabilities. This vulnerability could be leveraged by attackers to execute arbitrary code remotely or crash the browser, potentially leading to further system compromise or denial of service.

Potential Impact

For European organizations, this vulnerability poses a significant risk, especially for those relying on Yandex Browser in their desktop environments. Successful exploitation could lead to unauthorized code execution, enabling attackers to steal sensitive data, install malware, or disrupt business operations through denial of service. Given the browser’s role as a gateway to the internet, exploitation could serve as a foothold for lateral movement within corporate networks. The high impact on confidentiality and availability is particularly concerning for sectors handling sensitive personal data or critical infrastructure, such as finance, healthcare, and government agencies. Additionally, the requirement for user interaction means phishing or social engineering campaigns could be used to trigger exploitation, increasing risk in environments with less security awareness. The absence of known exploits in the wild provides a window for mitigation, but organizations should act promptly to prevent potential attacks.

Mitigation Recommendations

European organizations should prioritize upgrading Yandex Browser to version 24.4.0.682 or later as soon as possible to remediate this vulnerability. In the absence of immediate patching, organizations should implement network-level protections such as web filtering to block access to untrusted or suspicious websites that could host exploit code. Employ endpoint detection and response (EDR) solutions to monitor for anomalous browser behavior indicative of exploitation attempts. User awareness training should be enhanced to reduce the risk of social engineering attacks that require user interaction. Additionally, organizations should consider restricting the use of Yandex Browser in high-risk environments or replacing it with browsers that have a more robust security posture and timely patching. Implementing application control policies to limit execution of unauthorized code and sandboxing browser processes can further reduce exploitation impact. Regular vulnerability scanning and asset inventory updates will help identify affected systems promptly.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
yandex
Date Reserved
2023-02-20T22:19:35.320Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6839ee3e182aa0cae2ba2623

Added to database: 5/30/2025, 5:43:26 PM

Last enriched: 7/8/2025, 2:41:05 PM

Last updated: 8/4/2025, 7:00:53 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats