Red Hat Product Errata RHSA-2026:11329 - Security Advisory Issued: 2026-04-28 Updated: 2026-04-28 RHSA-2026:11329 - Security Advisory Overview Updated Packages Synopsis Important: webkit2gtk3 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix(es): webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43213) webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43214) webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43457) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43511) webkitgtk: Processing maliciously crafted web content may disclose internal states of the app (CVE-2025-46299) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20608) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20635) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20636) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20644) webkitgtk: A remote attacker may be able to cause a denial-of-service (CVE-2026-20652) webkitgtk: A website may be able to track users through Safari web extensions (CVE-2026-20676) webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy (CVE-2026-20643) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20664) webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2026-20665) webkitgtk: A maliciously crafted webpage may be able to fingerprint the user (CVE-2026-20691) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28857) webkitgtk: A malicious website may be able to process restricted web content outside the sandbox (CVE-2026-28859) webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack (CVE-2026-28871) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64 Red Hat Enterprise Linux Server - AUS 9.6 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.6 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.6 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.6 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.6 s390x Fixes BZ - 2448781 - CVE-2025-43213 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448782 - CVE-2025-43214 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448786 - CVE-2025-43457 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448787 - CVE-2025-43511 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448788 - CVE-2025-46299 webkitgtk: Processing maliciously crafted web content may disclose internal states of the app BZ - 2448789 - CVE-2026-20608 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448790 - CVE-2026-20635 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448791 - CVE-2026-20636 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448792 - CVE-2026-20644 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448793 - CVE-2026-20652 webkitgtk: A remote attacker may be able to cause a denial-of-service BZ - 2448794 - CVE-2026-20676 webkitgtk: A website may be able to track users through Safari web extensions BZ - 2453000 - CVE-2026-20643 webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy BZ - 2453001 - CVE-2026-20664 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2453002 - CVE-2026-20665 webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced BZ - 2453003 - CVE-2026-20691 webkitgtk: A maliciously crafted webpage may be able to fingerprint the user BZ - 2453004 - CVE-2026-28857 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2453006 - CVE-2026-28859 webkitgtk: A malicious website may be able to process restricted web content outside the sandbox BZ - 2453008 - CVE-2026-28871 webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack CVEs CVE-2025-43213 CVE-2025-43214 CVE-2025-43457 CVE-2025-43511 CVE-2025-46299 CVE-2026-20608 CVE-2026-20635 CVE-2026-20636 CVE-2026-20643 CVE-2026-20644 CVE-2026-20652 CVE-2026-20664 CVE-2026-20665 CVE-2026-20676 CVE-2026-20691 CVE-2026-28857 CVE-2026-28859 CVE-2026-28871 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 SRPM webkit2gtk3-2.52.3-1.el9_6.src.rpm SHA-256: bdd945c48a7e40a7daec8f6b2291fda7e3584a6e59f2d0a6b3ab7adecd12fc7d x86_64 webkit2gtk3-2.52.3-1.el9_6.i686.rpm SHA-256: c624a684102fedd6fcc52425ef5566ac70d4eb8a018644d67bbfbbc9d0a83493 webkit2gtk3-2.52.3-1.el9_6.x86_64.rpm SHA-256: 6d3f36ca88869e3144e8e999d8538bdf58951e80861fbee40c14c7b06fe50aa8 webkit2gtk3-debuginfo-2.52.3-1.el9_6.i686.rpm SHA-256: 9054a3237618806357390204cafee7b5217f537f47dddf79af915e70868951c4 webkit2gtk3-debuginfo-2.52.3-1.el9_6.x86_64.rpm SHA-256: 5ad4b0cd76bb7d7473179455fb95fc384a8ce8b257e16aa8b494017a250695c0 webkit2gtk3-debugsource-2.52.3-1.el9_6.i686.rpm SHA-256: 56e718c1ae76fb09c1abcd0e92aa975fe53acf6854f9eda8423347cd83e60137 webkit2gtk3-debugsource-2.52.3-1.el9_6.x86_64.rpm SHA-256: 416c9eaa32a9a239b7008d8dfd573f61ee801c070b87dc98b0b174621232e385 webkit2gtk3-devel-2.52.3-1.el9_6.i686.rpm SHA-256: cd3444e985979d338b9ea4e0a9c951735bef803fc3e8248c656610eca8214269 webkit2gtk3-devel-2.52.3-1.el9_6.x86_64.rpm SHA-256: 7901a1e178ca2928468a29ada0f84ee6f68a66070e4e0d04394d17ecc757dbe8 webkit2gtk3-devel-debuginfo-2.52.3-1.el9_6.i686.rpm SHA-256: c9865ca6c148b76fa935e9ef1f42e94b05b320396b4e02b33172c42af53581ee webkit2gtk3-devel-debuginfo-2.52.3-1.el9_6.x86_64.rpm SHA-256: d0a79d9efe703414fc7c193153c9cc31740b40798749555bb8865fdb9df5d498 webkit2gtk3-jsc-2.52.3-1.el9_6.i686.rpm SHA-256: 9f5464ff248e315ba476f550c3539594ae085f41b38d32fddd6984a9a85a14aa webkit2gtk3-jsc-2.52.3-1.el9_6.x86_64.rpm SHA-256: bfbdf613853ebf1277932a8b1f8c1984c3d2e8bf16d1c187b0c7052cc22cde6a webkit2gtk3-jsc-debuginfo-2.52.3-1.el9_6.i686.rpm SHA-256: 7b0b02a5be9b03f0700f62ef982e72da167c11014d1328bb4fc729168c251d71 webkit2gtk3-jsc-debuginfo-2.52.3-1.el9_6.x86_64.rpm SHA-256: 75f55ec13dfcad2b5b2c72e495dd6e6d9826ea04aaca9520cbf1dfeeb25b6e57 webkit2gtk3-jsc-devel-2.52.3-1.el9_6.i686.rpm SHA-256: 09b5fd42191cc0bc57e21f6c03e16a0843a61427628935e1ff240d578b816d9f webkit2gtk3-jsc-devel-2.52.3-1.el9_6.x86_64.rpm SHA-256: 9ac3b1f4945c7d62723675aee012b7d98d44b0605887017634f0be6cc029858c webkit2gtk3-jsc-devel-debuginfo-2.52.3-1.el9_6.i686.rpm SHA-256: 0a6cef9c5cd11f3c7c8d06940e1f99bf56b3ff83eab0b6ed7f5107905a4f21d1 webkit2gtk3-jsc-devel-debuginfo-2.52.3-1.el9_6.x86_64.rpm SHA-256: d7b29ee7f8cce801d386d37ed7e054b8c1ff05f87265377ec8546368d9d460da Red Hat Enterprise Linux Server - AUS 9.6 SRPM webkit2gtk3-2.52.3-1.el9_6.src.rpm SHA-256: bdd945c48a7e40a7daec8f6b2291fda7e3584a6e59f2d0a6b3ab7adecd12fc7d x86_64 webkit2gtk3-2.52.3-1.el9_6.i686.rpm SHA-256: c624a684102fedd6fcc52425ef5566ac70d4eb8a018644d67bbfbbc9d0a83493 webkit2gtk3-2.52.3-1.el9_6.x86_64.rpm SHA-256: 6d3f36ca88869e3144e8e999d8538bdf58951e80861fbee40c14c7b06fe50aa8 webkit2gtk3-debuginfo-2.52.3-1.el9_6.i686.rpm SHA-256: 9054a3237618806357390204cafee7b5217f537f47dddf79af915e70868951c4 webkit2gtk3-debuginfo-2.52.3-1.el9_6.x86_64.rpm SHA-256: 5ad4b0cd76bb7d7473179455fb95fc384a8ce8b257e16aa8b494017a250695c0 webkit2gtk3-debugsource-2.52.3-1.el9_6.i686.rpm SHA-256: 56e718c1ae76fb09c1abcd0e92aa975fe53acf6854f9eda8423347cd83e60137 webkit2gtk3-debugsource-2.52.3-1.el9_6.x86_64.rpm SHA-256: 416c9eaa32a9a239b7008d8dfd573f61ee