This Red Hat security advisory addresses multiple vulnerabilities in the webkit2gtk3 package for RHEL 9.0 SAP Solutions, rated Important, including issues where processing malicious web content can cause denial-of-service crashes, bypass the Same Origin Policy (CVE-2026-20643), or allow sandbox escape (CVE-2026-28859). The article lists numerous CVEs but does not provide specific affected or fixed version numbers for the webkit2gtk3 package itself; the provided NVD data references fixed versions for Apple products only, which are not applicable to this Red Hat update. Administrators should apply the Red Hat-provided webkit2gtk3 update to their affected RHEL systems to remediate these flaws.
Red Hat Product Errata RHSA-2026:19535 - Security Advisory Issued: 2026-05-20 Updated: 2026-05-20 RHSA-2026:19535 - Security Advisory Overview Updated Packages Synopsis Important: webkit2gtk3 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix(es): webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43213) webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43214) webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43457) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43511) webkitgtk: Processing maliciously crafted web content may disclose internal states of the app (CVE-2025-46299) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20608) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20635) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20636) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20644) webkitgtk: A remote attacker may be able to cause a denial-of-service (CVE-2026-20652) webkitgtk: A website may be able to track users through Safari web extensions (CVE-2026-20676) webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy (CVE-2026-20643) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20664) webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2026-20665) webkitgtk: A maliciously crafted webpage may be able to fingerprint the user (CVE-2026-20691) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28857) webkitgtk: A malicious website may be able to process restricted web content outside the sandbox (CVE-2026-28859) webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack (CVE-2026-28871) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x Fixes BZ - 2448781 - CVE-2025-43213 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448782 - CVE-2025-43214 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448786 - CVE-2025-43457 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448787 - CVE-2025-43511 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448788 - CVE-2025-46299 webkitgtk: Processing maliciously crafted web content may disclose internal states of the app BZ - 2448789 - CVE-2026-20608 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448790 - CVE-2026-20635 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448791 - CVE-2026-20636 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448792 - CVE-2026-20644 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448793 - CVE-2026-20652 webkitgtk: A remote attacker may be able to cause a denial-of-service BZ - 2448794 - CVE-2026-20676 webkitgtk: A website may be able to track users through Safari web extensions BZ - 2453000 - CVE-2026-20643 webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy BZ - 2453001 - CVE-2026-20664 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2453002 - CVE-2026-20665 webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced BZ - 2453003 - CVE-2026-20691 webkitgtk: A maliciously crafted webpage may be able to fingerprint the user BZ - 2453004 - CVE-2026-28857 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2453006 - CVE-2026-28859 webkitgtk: A malicious website may be able to process restricted web content outside the sandbox BZ - 2453008 - CVE-2026-28871 webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack CVEs CVE-2025-43213 CVE-2025-43214 CVE-2025-43457 CVE-2025-43511 CVE-2025-46299 CVE-2026-20608 CVE-2026-20635 CVE-2026-20636 CVE-2026-20643 CVE-2026-20644 CVE-2026-20652 CVE-2026-20664 CVE-2026-20665 CVE-2026-20676 CVE-2026-20691 CVE-2026-28857 CVE-2026-28859 CVE-2026-28871 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 SRPM webkit2gtk3-2.52.3-1.el9_0.src.rpm SHA-256: 9d4d8a73aa8d161675b9b10ae1fc2ef0f91668569df00ac7be5d4ff16016dada ppc64le webkit2gtk3-2.52.3-1.el9_0.ppc64le.rpm SHA-256: 6d3e871295993170bf796b1dd5e66d8f40356a3dfbba47f613215bb7aab94b9a webkit2gtk3-debuginfo-2.52.3-1.el9_0.ppc64le.rpm SHA-256: e73a6addaaa7e827405ac4da87f11dd869aeb056cba39d5857bcaffdb62eaf9d webkit2gtk3-debugsource-2.52.3-1.el9_0.ppc64le.rpm SHA-256: 74976d7dfc566bce246b93abe415295b05b21f761acca176d7e7566d9072ce41 webkit2gtk3-devel-2.52.3-1.el9_0.ppc64le.rpm SHA-256: 47144916e92291438160894289a107dbbfca1494bfd78519dc36b4bbd382a11b webkit2gtk3-devel-debuginfo-2.52.3-1.el9_0.ppc64le.rpm SHA-256: ffd02a5481b30c24430c0014f0185d3517c643253d51c55afe4697f146a741af webkit2gtk3-jsc-2.52.3-1.el9_0.ppc64le.rpm SHA-256: 07fa580880389a2790aad97e172a5f2ade44fe8f67e4586a858248a8203a9b45 webkit2gtk3-jsc-debuginfo-2.52.3-1.el9_0.ppc64le.rpm SHA-256: 3bf94af4882dd0d418646615e6023b152883dd3847275d0c374ce6fa16961751 webkit2gtk3-jsc-devel-2.52.3-1.el9_0.ppc64le.rpm SHA-256: e5c063cfd33c40c4bfde95bcf3091f3603eddd7939e352555de1f47c5451200c webkit2gtk3-jsc-devel-debuginfo-2.52.3-1.el9_0.ppc64le.rpm SHA-256: b9c63dea30e939bd2f5b9a0780b2efaa50d2257be8d24554d697c250f29b237c Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 SRPM webkit2gtk3-2.52.3-1.el9_0.src.rpm SHA-256: 9d4d8a73aa8d161675b9b10ae1fc2ef0f91668569df00ac7be5d4ff16016dada x86_64 webkit2gtk3-2.52.3-1.el9_0.i686.rpm SHA-256: 448cf4d0b13fb9b46624c290eaca2f92d0d10448699c6b512684c276f9d41e3a webkit2gtk3-2.52.3-1.el9_0.x86_64.rpm SHA-256: 5285be729d7b3a904f0a672c42c4302facd40d0428cfab82439496e5de47ccfd webkit2gtk3-debuginfo-2.52.3-1.el9_0.i686.rpm SHA-256: 5de17120b74c9445d2d5f126e756e984f035d7007fb476e00b6377e1cf233ad9 webkit2gtk3-debuginfo-2.52.3-1.el9_0.x86_64.rpm SHA-256: 47d0adf0a6fd35b875a2fbfe1ed5f87ec0b641d94fc2a96460754de011a450ee webkit2gtk3-debugsource-2.52.3-1.el9_0.i686.rpm SHA-256: f086b3703191713fbd2b070ee7f0c8ea8a748e2b3fce127b334589c6a3f29c1d webkit2gtk3-debugsource-2.52.3-1.el9_0.x86_64.rpm SHA-256: 69d5e419c085178a33ce93b957a7bba23be293828ed38b5ddfdadb170837fc5f webkit2gtk3-devel-2.52.3-1.el9_0.i686.rpm SHA-256: aecd3e61d0de689593f9ec889a0ccc88910f4b3ae41813cc0c4d5d32415c9f3b webkit2gtk3-devel-2.52.3-1.el9_0.x86_64.rpm SHA-256: a98ed3214842793842a8522877ab3f958e1641cd31c764690992f2b603626fd6 webkit2gtk3-devel-debuginfo-2.52.3-1.el9_0.i686.rpm SHA-256: 3444e4da7ffef1012ff2f0f717eee4485159887f8f7dcc83cfaf50ca7fe81293 webkit2gtk3-devel-debuginfo-2.52.3-1.el9_0.x86_64.rpm SHA-256: 023cc9b2ad35ecf147f40446958129539d40644a1dd128956ae4f6f1122a5274 webkit2gtk3-jsc-2.52.3-1.el9_0.i686.rpm SHA-256: 25d618ef4f45fc59dbd5e42cacce038d143cbaae4eacb6ad977f949328c3ee51 webkit2gtk3-jsc-2.52.3-1.el9_0.x86_64.rpm SHA-256: 0088d01739f3165707208c3ba7e5e39d9d6c3fbfd0e900ed2ecf1021d2477706 webkit2gtk3-jsc-debuginfo-2.52.3-1.el9_0.i686.rpm SHA-256: 370489b5c4fa2ea19a323eeffbbcb1b2e591eb8ea906507f0878de77bb36a0fb webkit2gtk3-jsc-debuginfo-2.52.3-1.el9_0.x86_64.rpm SHA-256: cac5a2b569716d50eb5794d04eb5fcbc6d6d1e0e818aad3bee3f03fcde3b7aae webkit2gtk3-jsc-devel-2.52.3-1.el9_0.i686.rpm SHA-256: 494cf4fc84226f9dbcbb051d5bc0efff6d8357ca7ea83a5a59952d1686fb9508 webkit2gtk3-jsc-devel-2.52.3-1.el9_0.x86_64.rpm SHA-256: 4927a7963aadf5f9531678aa72e5eb2f92200944774fae14a29e40371589b886 webkit2gtk3-jsc-devel-debuginfo-2.52.3-1.el9_0.i686.rpm SHA-256: fa0660e0eb3a07a13ef0ac9b83375396f264d2f7a9f92ffc01b8bf793c079bed webkit2gtk3-jsc-devel-debuginfo-2.52.3-1.el9_0.x86_64.rpm SHA-256: c0027491d15095cedc337330789a5528dd5654f081ad917b437298feff96d7f8 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 SRPM webkit2gtk3-2.52.3-1.el9_0.src.rpm SHA-256: 9d4d8a73aa8d161675b9b10ae1fc2ef0f91668569df00ac7be5d4ff16