Red Hat Product Errata RHSA-2026:19206 - Security Advisory Issued: 2026-05-19 Updated: 2026-05-19 RHSA-2026:19206 - Security Advisory Overview Updated Packages Synopsis Important: webkit2gtk3 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix(es): webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43213) webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43214) webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43457) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43511) webkitgtk: Processing maliciously crafted web content may disclose internal states of the app (CVE-2025-46299) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20608) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20635) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20636) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20644) webkitgtk: A remote attacker may be able to cause a denial-of-service (CVE-2026-20652) webkitgtk: A website may be able to track users through Safari web extensions (CVE-2026-20676) webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy (CVE-2026-20643) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20664) webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2026-20665) webkitgtk: A maliciously crafted webpage may be able to fingerprint the user (CVE-2026-20691) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28857) webkitgtk: A malicious website may be able to process restricted web content outside the sandbox (CVE-2026-28859) webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack (CVE-2026-28871) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.8 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.8 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.8 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.8 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.8 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.8 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.8 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.8 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.8 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.8 s390x Fixes BZ - 2448781 - CVE-2025-43213 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448782 - CVE-2025-43214 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448786 - CVE-2025-43457 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448787 - CVE-2025-43511 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448788 - CVE-2025-46299 webkitgtk: Processing maliciously crafted web content may disclose internal states of the app BZ - 2448789 - CVE-2026-20608 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448790 - CVE-2026-20635 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448791 - CVE-2026-20636 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448792 - CVE-2026-20644 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448793 - CVE-2026-20652 webkitgtk: A remote attacker may be able to cause a denial-of-service BZ - 2448794 - CVE-2026-20676 webkitgtk: A website may be able to track users through Safari web extensions BZ - 2453000 - CVE-2026-20643 webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy BZ - 2453001 - CVE-2026-20664 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2453002 - CVE-2026-20665 webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced BZ - 2453003 - CVE-2026-20691 webkitgtk: A maliciously crafted webpage may be able to fingerprint the user BZ - 2453004 - CVE-2026-28857 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2453006 - CVE-2026-28859 webkitgtk: A malicious website may be able to process restricted web content outside the sandbox BZ - 2453008 - CVE-2026-28871 webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack CVEs CVE-2025-43213 CVE-2025-43214 CVE-2025-43457 CVE-2025-43511 CVE-2025-46299 CVE-2026-20608 CVE-2026-20635 CVE-2026-20636 CVE-2026-20643 CVE-2026-20644 CVE-2026-20652 CVE-2026-20664 CVE-2026-20665 CVE-2026-20676 CVE-2026-20691 CVE-2026-28857 CVE-2026-28859 CVE-2026-28871 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM webkit2gtk3-2.52.3-1.el9_8.src.rpm SHA-256: 02d96ae36230e7d923d978fc88827caef614b93d344f105a1e6592bdcb70a775 x86_64 webkit2gtk3-2.52.3-1.el9_8.i686.rpm SHA-256: 03fc0f869eb6d8a5a6e78a0decd0d4769839f4b49cee75e0775bdd39205c75b1 webkit2gtk3-2.52.3-1.el9_8.x86_64.rpm SHA-256: 568ee46cc687cd0460655560fbe1b8e729c4cb951750136d05aa4ec46f205122 webkit2gtk3-debuginfo-2.52.3-1.el9_8.i686.rpm SHA-256: 43f11b979403f497b646a86fe8aeba57d193ee57b58107963e72b4f2a205ca1b webkit2gtk3-debuginfo-2.52.3-1.el9_8.x86_64.rpm SHA-256: eb7b172481a5df4dad2dc8ec8e94705700b7b5574a55ee25bb131f996479097b webkit2gtk3-debugsource-2.52.3-1.el9_8.i686.rpm SHA-256: 41b6ec35b0c858fa8bc7421c31534673a8e19d313884d2fd7b1e69399e9792d2 webkit2gtk3-debugsource-2.52.3-1.el9_8.x86_64.rpm SHA-256: 2c12793136bbcb92181cd6b98810567f0d5b70b104794970f4dd7853903ad82b webkit2gtk3-devel-2.52.3-1.el9_8.i686.rpm SHA-256: 2a47549323f49c994c3e11a8d47daba074c56b586e9d5c263265e53a60968c50 webkit2gtk3-devel-2.52.3-1.el9_8.x86_64.rpm SHA-256: 2858c5f420dd63af884ef12022f32ec63d2b2ffcea76ad0cfb61cb7ff4d82f25 webkit2gtk3-devel-debuginfo-2.52.3-1.el9_8.i686.rpm SHA-256: b78d30973651fc0ad7bf33d8e9818a13a4be14c3878438cd942e7389fc3a41bf webkit2gtk3-devel-debuginfo-2.52.3-1.el9_8.x86_64.rpm SHA-256: 3cc277b7314e831b8c2ff0cf2931fa2074fc2f794e29ceed9e072a1f214d2dd9 webkit2gtk3-jsc-2.52.3-1.el9_8.i686.rpm SHA-256: 2456b7616af54dbf7197366319ee412a5393d547394776a35b45283ed9800502 webkit2gtk3-jsc-2.52.3-1.el9_8.x86_64.rpm SHA-256: 60e45c359f953cd40effadcb8477bceaa58fdff5602a39098d3b82c710ea6be4 webkit2gtk3-jsc-debuginfo-2.52.3-1.el9_8.i686.rpm SHA-256: 4ae51c4057e00c485ca8fa695dcc2dd3e86cd2b8e7725d92c06d42a8be352645 webkit2gtk3-jsc-debuginfo-2.52.3-1.el9_8.x86_64.rpm SHA-256: 348fc96a7e971ca0a6b07356ca9e892eafdb54a412e7a52edef1740bd4842c0d webkit2gtk3-jsc-devel-2.52.3-1.el9_8.i686.rpm SHA-256: fcb7f7c17069e0dd59976dcd9ce3c33f31d7edda49bcbda8b5d29866c5dffa35 webkit2gtk3-jsc-devel-2.52.3-1.el9_8.x86_64.rpm SHA-256: 58f47127285dc3e87298133c2dd40b6fb6e2ac916158561e33f9a258922e7683 webkit2gtk3-jsc-devel-debuginfo-2.52.3-1.el9_8.i686.rpm SHA-256: c2eabbdfa4b0577bfe1ad03529bc5be37556c306466d8ccff6d94a94c72088ef webkit2gtk3-jsc-devel-debuginfo-2.52.3-1.el9_8.x86_64.rpm SHA-256: 88ce8e9c26a63a14299fc61d57aeafd7f21ad59d226fab3d324cf6f7b579c7cc Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 SRPM webkit2gtk3-2.52.3-1.el9_8.src.rpm SHA-256: 02d96ae36230e7d923d978fc88827caef614b93d344f105a1e6592bdcb70a775 x86_64 webkit2gtk3-2.52.3-1.el9_8.i686.rpm SHA-256: 03fc0f869eb6d8a5a6e78a0decd0d4769839f4b49cee75e0775bdd39205c75b1 webkit2gtk3-2.52.3-1.el9_8.x86_64.rpm SHA-256: 568ee46cc687cd0460655560fbe1b8e729c4cb951750136d05aa4ec46f205122 webkit2gtk3-debuginfo-2.52.3-1.el9_8.i686.rpm SHA-256: 43f11b979403f497b646a86fe8aeba57d193ee57b58107963e72b4f2a205ca1b webkit2gtk3-debuginfo-2.52.3-1.el9_8.x86_64.rpm SHA-256: eb7b172481a5df4dad2dc8ec8e94705700b7b5574a55ee25bb131f996479097b webkit2gtk3-debugsource-2.52.3-1.el9_8.i686.rpm SHA-256: 41b6ec35b0c858fa8bc7421c31534673a8e