This Red Hat security advisory addresses multiple vulnerabilities in the webkit2gtk3 package for RHEL 9.2 SAP Solutions, rated Important. The vulnerabilities include memory corruption issues allowing denial-of-service via crashes, sandbox escapes, Same Origin Policy bypasses, and privacy violations like user tracking and fingerprinting through malicious web content. Affected systems should apply the update referenced in RHSA-2026:16695 immediately.
Red Hat Product Errata RHSA-2026:16695 - Security Advisory Issued: 2026-05-13 Updated: 2026-05-13 RHSA-2026:16695 - Security Advisory Overview Updated Packages Synopsis Important: webkit2gtk3 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix(es): webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43213) webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43214) webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43457) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43511) webkitgtk: Processing maliciously crafted web content may disclose internal states of the app (CVE-2025-46299) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20608) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20635) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20636) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20644) webkitgtk: A remote attacker may be able to cause a denial-of-service (CVE-2026-20652) webkitgtk: A website may be able to track users through Safari web extensions (CVE-2026-20676) webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy (CVE-2026-20643) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20664) webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2026-20665) webkitgtk: A maliciously crafted webpage may be able to fingerprint the user (CVE-2026-20691) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28857) webkitgtk: A malicious website may be able to process restricted web content outside the sandbox (CVE-2026-28859) webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack (CVE-2026-28871) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server - AUS 9.2 x86_64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.2 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.2 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.2 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.2 s390x Fixes BZ - 2448781 - CVE-2025-43213 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448782 - CVE-2025-43214 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448786 - CVE-2025-43457 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448787 - CVE-2025-43511 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448788 - CVE-2025-46299 webkitgtk: Processing maliciously crafted web content may disclose internal states of the app BZ - 2448789 - CVE-2026-20608 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448790 - CVE-2026-20635 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448791 - CVE-2026-20636 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448792 - CVE-2026-20644 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448793 - CVE-2026-20652 webkitgtk: A remote attacker may be able to cause a denial-of-service BZ - 2448794 - CVE-2026-20676 webkitgtk: A website may be able to track users through Safari web extensions BZ - 2453000 - CVE-2026-20643 webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy BZ - 2453001 - CVE-2026-20664 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2453002 - CVE-2026-20665 webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced BZ - 2453003 - CVE-2026-20691 webkitgtk: A maliciously crafted webpage may be able to fingerprint the user BZ - 2453004 - CVE-2026-28857 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2453006 - CVE-2026-28859 webkitgtk: A malicious website may be able to process restricted web content outside the sandbox BZ - 2453008 - CVE-2026-28871 webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack CVEs CVE-2025-43213 CVE-2025-43214 CVE-2025-43457 CVE-2025-43511 CVE-2025-46299 CVE-2026-20608 CVE-2026-20635 CVE-2026-20636 CVE-2026-20643 CVE-2026-20644 CVE-2026-20652 CVE-2026-20664 CVE-2026-20665 CVE-2026-20676 CVE-2026-20691 CVE-2026-28857 CVE-2026-28859 CVE-2026-28871 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server - AUS 9.2 SRPM webkit2gtk3-2.52.3-1.el9_2.src.rpm SHA-256: 44329264b133316ed78f1894eabcf182b04652a8440b108b4b9c239d376acc91 x86_64 webkit2gtk3-2.52.3-1.el9_2.i686.rpm SHA-256: 9adcaab341b3e7cdf99099edb3d299538b9f217924e2401174065d0e9e899a3d webkit2gtk3-2.52.3-1.el9_2.x86_64.rpm SHA-256: ebad958f595d3746f9366e7a2e16d28fb14df009d96eafc1b8e6e8a62aed310a webkit2gtk3-debuginfo-2.52.3-1.el9_2.i686.rpm SHA-256: 65e7c5f806958062a7beb7cee672a627f0e02a1c698d07ede1563081575dec0e webkit2gtk3-debuginfo-2.52.3-1.el9_2.x86_64.rpm SHA-256: 7fd9ea606e21ea5b122af6944757010d396f8f3a548ec33ea892218e8d068561 webkit2gtk3-debugsource-2.52.3-1.el9_2.i686.rpm SHA-256: 059fac5b84ecf13612e1a10ea4affae063e0560592aebf1b313031eaf9f981d6 webkit2gtk3-debugsource-2.52.3-1.el9_2.x86_64.rpm SHA-256: 8b738cbe2fd95b396feec44b3274bbf6e6688f64a36bd567ae8ad8ae5c9e8a0f webkit2gtk3-devel-2.52.3-1.el9_2.i686.rpm SHA-256: a8a6e83c5c0016bda609a2be5a8641d14847dfc4ef87136cf15b409089a8ced9 webkit2gtk3-devel-2.52.3-1.el9_2.x86_64.rpm SHA-256: 600a8180e40c6388366a52949fc915210453e65cdadd0aad4b40969264ada0dc webkit2gtk3-devel-debuginfo-2.52.3-1.el9_2.i686.rpm SHA-256: 639aba7df8c94b84fbe1955371990cc424d634da5dda492aa6b24b0ed5081c61 webkit2gtk3-devel-debuginfo-2.52.3-1.el9_2.x86_64.rpm SHA-256: 679393c7d76b9115099ea4bd7f40a556d014c2e8b894a3147b69889fb6ccb943 webkit2gtk3-jsc-2.52.3-1.el9_2.i686.rpm SHA-256: 695ddffceedcd76575eb45d83e7d0c0c2ea060df0f23c138db67b1d416a60dfa webkit2gtk3-jsc-2.52.3-1.el9_2.x86_64.rpm SHA-256: f869d61a03e9cc1ef1714b9d6d2d91fd0dd144342955147128c68d744aea6a8f webkit2gtk3-jsc-debuginfo-2.52.3-1.el9_2.i686.rpm SHA-256: b3a9faaf663feff44916037b7f7853750255d68e8872e1858f1ccb5576dfbeb6 webkit2gtk3-jsc-debuginfo-2.52.3-1.el9_2.x86_64.rpm SHA-256: 61c39ad90e7d4a0701f7516af1082b1cf43cf7ec7c530665bfed3c8d89dbdf65 webkit2gtk3-jsc-devel-2.52.3-1.el9_2.i686.rpm SHA-256: 91470dd3145e33b5c5dec50275cb732799dd92a826e9a97911d604eda768c41b webkit2gtk3-jsc-devel-2.52.3-1.el9_2.x86_64.rpm SHA-256: 99241033b9780221788aff94bd0a9718b45c8081d385c9c40d0636ee6886e112 webkit2gtk3-jsc-devel-debuginfo-2.52.3-1.el9_2.i686.rpm SHA-256: ddbebaa8b692a29c152478df57bb609239a76d401c11b339090cc3d63d9f6b48 webkit2gtk3-jsc-devel-debuginfo-2.52.3-1.el9_2.x86_64.rpm SHA-256: d0a7981b6dc7bdebb296dd1a191947b990ff20b874cbe51c64c45520d73bdeca Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 SRPM webkit2gtk3-2.52.3-1.el9_2.src.rpm SHA-256: 44329264b133316ed78f1894eabcf182b04652a8440b108b4b9c239d376acc91 ppc64le webkit2gtk3-2.52.3-1.el9_2.ppc64le.rpm SHA-256: 749139ec7036e92f6094c8ee0370350ca9ceaddee22cd66e3edde25af8710758 webkit2gtk3-debuginfo-2.52.3-1.el9_2.ppc64le.rpm SHA-256: 959c1701198de8186ad0bd1e18537b46ede535c7516f3a1768c988796b38dc96 webkit2gtk3-debugsource-2.52.3-1.el9_2.ppc64le.rpm SHA-256: 0c67e55ad7c4439b20ae17963f4b727b84a72ce04f076f935e16525478535716 webkit2gtk3-devel-2.52.3-1.el9_2.ppc64le.rpm SHA-256: 7f5907799332873ada5865adc1019a40d9570cdc3a640a7d733ebab174819bf2 webkit2gtk3-devel-debuginfo-2.52.3-1.el9_2.ppc64le.rpm SHA-256: 66129d4940fe47a86820710f1b034cbe2206b9a0e1ff34b863ea905be170b917 webkit2gtk3-jsc-2.52.3-1.el9_2.ppc64le.rpm SHA-256: f0e1a564dfceecb07c5172c2ca1b2df07d591bb6d806982d45b0ebbb122c83b5 webkit2gtk3-jsc-debuginfo-2.52.3-1.el9_2.ppc64le.rpm SHA-256: 788546bff419340d4439dbb572c199a6389881514f61891f15db963e82e775d5 webkit2gtk3-jsc-devel-2.52.3-1.el9_2.ppc64le.rpm SHA-256: 7abdb0a5d00190467eba1c8e66a9469a0fc660a7f14a2714f6cd