Red Hat Product Errata RHSA-2026:14659 - Security Advisory Issued: 2026-05-07 Updated: 2026-05-07 RHSA-2026:14659 - Security Advisory Overview Updated Packages Synopsis Important: webkit2gtk3 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix(es): webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43213) webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43214) webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43457) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43511) webkitgtk: Processing maliciously crafted web content may disclose internal states of the app (CVE-2025-46299) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20608) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20635) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20636) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20644) webkitgtk: A remote attacker may be able to cause a denial-of-service (CVE-2026-20652) webkitgtk: A website may be able to track users through Safari web extensions (CVE-2026-20676) webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy (CVE-2026-20643) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20664) webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2026-20665) webkitgtk: A maliciously crafted webpage may be able to fingerprint the user (CVE-2026-20691) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28857) webkitgtk: A malicious website may be able to process restricted web content outside the sandbox (CVE-2026-28859) webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack (CVE-2026-28871) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64 Red Hat Enterprise Linux Server - AUS 9.4 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.4 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.4 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.4 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.4 s390x Fixes BZ - 2448781 - CVE-2025-43213 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448782 - CVE-2025-43214 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448786 - CVE-2025-43457 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448787 - CVE-2025-43511 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448788 - CVE-2025-46299 webkitgtk: Processing maliciously crafted web content may disclose internal states of the app BZ - 2448789 - CVE-2026-20608 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448790 - CVE-2026-20635 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448791 - CVE-2026-20636 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448792 - CVE-2026-20644 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448793 - CVE-2026-20652 webkitgtk: A remote attacker may be able to cause a denial-of-service BZ - 2448794 - CVE-2026-20676 webkitgtk: A website may be able to track users through Safari web extensions BZ - 2453000 - CVE-2026-20643 webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy BZ - 2453001 - CVE-2026-20664 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2453002 - CVE-2026-20665 webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced BZ - 2453003 - CVE-2026-20691 webkitgtk: A maliciously crafted webpage may be able to fingerprint the user BZ - 2453004 - CVE-2026-28857 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2453006 - CVE-2026-28859 webkitgtk: A malicious website may be able to process restricted web content outside the sandbox BZ - 2453008 - CVE-2026-28871 webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack CVEs CVE-2025-43213 CVE-2025-43214 CVE-2025-43457 CVE-2025-43511 CVE-2025-46299 CVE-2026-20608 CVE-2026-20635 CVE-2026-20636 CVE-2026-20643 CVE-2026-20644 CVE-2026-20652 CVE-2026-20664 CVE-2026-20665 CVE-2026-20676 CVE-2026-20691 CVE-2026-28857 CVE-2026-28859 CVE-2026-28871 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 SRPM webkit2gtk3-2.52.3-1.el9_4.src.rpm SHA-256: d321dd70e50daf502a5b6ecb79400d23779d469217b8d280b174a0f879e09ef2 x86_64 webkit2gtk3-2.52.3-1.el9_4.i686.rpm SHA-256: 0c499ed9fc94d1faa369c3effa61a2776e7930422811fd5e7b473bf7f7fc2b1c webkit2gtk3-2.52.3-1.el9_4.x86_64.rpm SHA-256: 1c291d583bd9c6e3ec2e0cf8eef0ed1e66abeef97b11d4109f0584297f4d1a1b webkit2gtk3-debuginfo-2.52.3-1.el9_4.i686.rpm SHA-256: 35c306422963fab9941809dbcc755b565154dfffa907797c178055b66db898d4 webkit2gtk3-debuginfo-2.52.3-1.el9_4.x86_64.rpm SHA-256: 481eb9fb099f5a7f15915727c6954a9a8d6f725a96b5ae960b9434384f713534 webkit2gtk3-debugsource-2.52.3-1.el9_4.i686.rpm SHA-256: be759ed8ed766e9577b85d892138b41861c52c9d41b1105ed274f01a8f1087dc webkit2gtk3-debugsource-2.52.3-1.el9_4.x86_64.rpm SHA-256: cd21f58d69630fa53686295b08c78a90ddca2b19337d387f15c096ebd65a4f46 webkit2gtk3-devel-2.52.3-1.el9_4.i686.rpm SHA-256: 52fb3a25b5a055aacd33f7a10185e99bd924be4ce2e2272f84140d24cf0d8179 webkit2gtk3-devel-2.52.3-1.el9_4.x86_64.rpm SHA-256: b9a4685800e4c8a49a7850a89b3e44d5631bc9e7b0185090bb269fe1b2d08273 webkit2gtk3-devel-debuginfo-2.52.3-1.el9_4.i686.rpm SHA-256: 5b018d5d77e5b173619b124b8e536706d896baa24595d56afb630ead7c69e803 webkit2gtk3-devel-debuginfo-2.52.3-1.el9_4.x86_64.rpm SHA-256: a6a619af2fbec7fae912c16e836bb8a52d6d7b30757ecc5b6ec93e2b0ae05b87 webkit2gtk3-jsc-2.52.3-1.el9_4.i686.rpm SHA-256: 76ac5f83877d9b23b90987c33e639e1a7cfbb17252c9a3017328b798fec46dd2 webkit2gtk3-jsc-2.52.3-1.el9_4.x86_64.rpm SHA-256: 63d62e6ba674021ec08ea7fe159ea05f8c636478f42dab49763f30d35d7edaf3 webkit2gtk3-jsc-debuginfo-2.52.3-1.el9_4.i686.rpm SHA-256: 13f2862f50691c5dcb4762b76349e66b1da60c7f3fe2004df71e16651598320f webkit2gtk3-jsc-debuginfo-2.52.3-1.el9_4.x86_64.rpm SHA-256: 18fbe9a9a6779f7e0b9d5bacf877d28758b14db701276370cd91a7d318b6eed8 webkit2gtk3-jsc-devel-2.52.3-1.el9_4.i686.rpm SHA-256: faf33d7320fec1fd3ea0577e41d9f0df89e38bdcc96a46c0e1aba2ebe3a77cba webkit2gtk3-jsc-devel-2.52.3-1.el9_4.x86_64.rpm SHA-256: 1022461900aba01c2bf2cb81a030395c25ea6531545f49a32d501ba17d95aa63 webkit2gtk3-jsc-devel-debuginfo-2.52.3-1.el9_4.i686.rpm SHA-256: 71e7577b8d3009db5f4e31f9cf1f65ccffb9aa57cb2d597f65e3576548b8c976 webkit2gtk3-jsc-devel-debuginfo-2.52.3-1.el9_4.x86_64.rpm SHA-256: 72cad3def53be37fa2398b4f1eafd5fa43365f24b6bfa0d04c7ed8f9a24e5743 Red Hat Enterprise Linux Server - AUS 9.4 SRPM webkit2gtk3-2.52.3-1.el9_4.src.rpm SHA-256: d321dd70e50daf502a5b6ecb79400d23779d469217b8d280b174a0f879e09ef2 x86_64 webkit2gtk3-2.52.3-1.el9_4.i686.rpm SHA-256: 0c499ed9fc94d1faa369c3effa61a2776e7930422811fd5e7b473bf7f7fc2b1c webkit2gtk3-2.52.3-1.el9_4.x86_64.rpm SHA-256: 1c291d583bd9c6e3ec2e0cf8eef0ed1e66abeef97b11d4109f0584297f4d1a1b webkit2gtk3-debuginfo-2.52.3-1.el9_4.i686.rpm SHA-256: 35c306422963fab9941809dbcc755b565154dfffa907797c178055b66db898d4 webkit2gtk3-debuginfo-2.52.3-1.el9_4.x86_64.rpm SHA-256: 481eb9fb099f5a7f15915727c6954a9a8d6f725a96b5ae960b9434384f713534 webkit2gtk3-debugsource-2.52.3-1.el9_4.i686.rpm SHA-256: be759ed8ed766e9577b85d892138b41861c52c9d41b1105ed274f01a8f1087dc webkit2gtk3-debugsource-2.52.3-1.el9_4.x86_64.rpm SHA-256: cd21f58d69630fa53686295b08c78a90dd