This Red Hat security advisory addresses multiple vulnerabilities in the webkitgtk4 package for RHEL 7 ELS, rated Important. The vulnerabilities, including CVE-2025-43213 (CVSS 6.5), primarily involve processing malicious web content, which can lead to denial-of-service crashes, Same Origin Policy bypasses, sandbox escapes, or information disclosure. Users should apply the provided webkitgtk4 security update for Red Hat Enterprise Linux 7 Extended Lifecycle Support immediately.
Red Hat Product Errata RHSA-2026:22136 - Security Advisory Issued: 2026-06-01 Updated: 2026-06-01 RHSA-2026:22136 - Security Advisory Overview Updated Packages Synopsis Important: webkitgtk4 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for webkitgtk4 is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description WebKitGTK+ is port of the WebKit portable web rendering engine to the GTK+ platform. These packages provide WebKitGTK+ for GTK+ 3. Security Fix(es): webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43213) webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43214) webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43457) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43511) webkitgtk: Processing maliciously crafted web content may disclose internal states of the app (CVE-2025-46299) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20608) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20635) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20636) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20644) webkitgtk: A remote attacker may be able to cause a denial-of-service (CVE-2026-20652) webkitgtk: A website may be able to track users through Safari web extensions (CVE-2026-20676) webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy (CVE-2026-20643) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20664) webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2026-20665) webkitgtk: A maliciously crafted webpage may be able to fingerprint the user (CVE-2026-20691) webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28857) webkitgtk: A malicious website may be able to process restricted web content outside the sandbox (CVE-2026-28859) webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack (CVE-2026-28871) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64 Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64 Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le Fixes BZ - 2448781 - CVE-2025-43213 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448782 - CVE-2025-43214 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448786 - CVE-2025-43457 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash BZ - 2448787 - CVE-2025-43511 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448788 - CVE-2025-46299 webkitgtk: Processing maliciously crafted web content may disclose internal states of the app BZ - 2448789 - CVE-2026-20608 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448790 - CVE-2026-20635 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448791 - CVE-2026-20636 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448792 - CVE-2026-20644 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2448793 - CVE-2026-20652 webkitgtk: A remote attacker may be able to cause a denial-of-service BZ - 2448794 - CVE-2026-20676 webkitgtk: A website may be able to track users through Safari web extensions BZ - 2453000 - CVE-2026-20643 webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy BZ - 2453001 - CVE-2026-20664 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2453002 - CVE-2026-20665 webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced BZ - 2453003 - CVE-2026-20691 webkitgtk: A maliciously crafted webpage may be able to fingerprint the user BZ - 2453004 - CVE-2026-28857 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash BZ - 2453006 - CVE-2026-28859 webkitgtk: A malicious website may be able to process restricted web content outside the sandbox BZ - 2453008 - CVE-2026-28871 webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack CVEs CVE-2025-43213 CVE-2025-43214 CVE-2025-43457 CVE-2025-43511 CVE-2025-46299 CVE-2026-20608 CVE-2026-20635 CVE-2026-20636 CVE-2026-20643 CVE-2026-20644 CVE-2026-20652 CVE-2026-20664 CVE-2026-20665 CVE-2026-20676 CVE-2026-20691 CVE-2026-28857 CVE-2026-28859 CVE-2026-28871 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 SRPM webkitgtk4-2.52.3-1.el7_9.src.rpm SHA-256: 935af8f7539fcb97740e052c64fa8b38b3ad385adf787c2c890d7d9bc4bdfa57 x86_64 webkitgtk4-2.52.3-1.el7_9.x86_64.rpm SHA-256: 04cd15df9a28819eb99d29fd37640d8ec1ca80d4f56dd02e861945ba13f0c249 webkitgtk4-debuginfo-2.52.3-1.el7_9.x86_64.rpm SHA-256: 233dada988b3fe8dec6edb52115a14cc038ac6747db010f065ea5e5bcf3021a6 webkitgtk4-devel-2.52.3-1.el7_9.x86_64.rpm SHA-256: 87ad3ae1a2b798c4e3ad2f3f9f32bcb093dcb7dda8a2e6c06611f0e782c16542 webkitgtk4-doc-2.52.3-1.el7_9.noarch.rpm SHA-256: 68ec45f0e98ee8732f846f0035afc808d7757ca50e8e9e88e6d3160b9e538d96 webkitgtk4-jsc-2.52.3-1.el7_9.x86_64.rpm SHA-256: ead7c9ac03138f89eb392050650e5f551167b8bf3c817018cedf8e5362cc5542 webkitgtk4-jsc-devel-2.52.3-1.el7_9.x86_64.rpm SHA-256: 8b236cc3b6ffbb3dd6fe15ab603b08234db2b592659b89a88cd01d0921a36ba0 Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 SRPM webkitgtk4-2.52.3-1.el7_9.src.rpm SHA-256: 935af8f7539fcb97740e052c64fa8b38b3ad385adf787c2c890d7d9bc4bdfa57 s390x webkitgtk4-2.52.3-1.el7_9.s390x.rpm SHA-256: 8c2d8c61cd19661f2b4cb74ffaecf919fefe85b673fa06082ba2acbee2f1b325 webkitgtk4-debuginfo-2.52.3-1.el7_9.s390x.rpm SHA-256: b777bc1ba669c1e08649e09c751bc0bebe04a476ca9fb3f0011172df59483e95 webkitgtk4-debuginfo-2.52.3-1.el7_9.s390x.rpm SHA-256: b777bc1ba669c1e08649e09c751bc0bebe04a476ca9fb3f0011172df59483e95 webkitgtk4-devel-2.52.3-1.el7_9.s390x.rpm SHA-256: da8d712733d9c994904632c295aec9efdf4774c8859a709469d70c117eb70c1c webkitgtk4-doc-2.52.3-1.el7_9.noarch.rpm SHA-256: 68ec45f0e98ee8732f846f0035afc808d7757ca50e8e9e88e6d3160b9e538d96 webkitgtk4-jsc-2.52.3-1.el7_9.s390x.rpm SHA-256: 48c7ff19d34ed2cb24610694a6cc57a145238ccd2d44bee1f2ef7fa47e4c5a33 webkitgtk4-jsc-devel-2.52.3-1.el7_9.s390x.rpm SHA-256: f3a7aff9dfabc090a950c164d3a53a1c4dcc1fb88895a046cd24343af69721a2 Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 SRPM webkitgtk4-2.52.3-1.el7_9.src.rpm SHA-256: 935af8f7539fcb97740e052c64fa8b38b3ad385adf787c2c890d7d9bc4bdfa57 ppc64 webkitgtk4-doc-2.52.3-1.el7_9.noarch.rpm SHA-256: 68ec45f0e98ee8732f846f0035afc808d7757ca50e8e9e88e6d3160b9e538d96 Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 SRPM webkitgtk4-2.52.3-1.el7_9.src.rpm SHA-256: 935af8f7539fcb97740e052c64fa8b38b3ad385adf787c2c890d7d9bc4bdfa57 ppc64le webkitgtk4-2.52.3-1.el7_9.ppc64le.rpm SHA-256: 986e20c142d185525dc780bc205e5e48560ef90b40781da67c0de77fdb08e4c6 webkitgtk4-debuginfo-2.52.3-1.el7_9.ppc64le.rpm SHA-256: f142a1abd221ba394f4c560ae37243bb68d38f20494488b402562f5d62b0da28 webkitgtk4-devel-2.52.3-1.el7_9.ppc64le.rpm SHA-256: 09d2e921a65fa6d3f88031a1554f9ad123d0ee6c5a779ade4e5dcf165fc83367 webkitgtk4-doc-2.52.3-1.el7_9.noarch.rpm SHA-256: 68ec45f0e98ee8732f846f0035afc808d7757ca50e8e9e88e6d3160b9e538d96 webkitgtk4-jsc-2.52.3-1.el7_9.ppc64le.rpm SHA-256: 1b0886ea0e525e4ae090b6686cb45b863c8fe723272cbad7cd11a902f117648b webkitgtk4-jsc-devel-2.52.3-1.el7_9.ppc64le.rpm SHA-256: 2f00bf53d84d005c69ee3e8fa80513bec4fae7a951619741cb82b9c1806eeae6 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .