RLSA-2026:9692

See a problem?
Please try reporting it to the source first.
Source
https://errata.rockylinux.org/RLSA-2026:9692
Import Source
https://storage.googleapis.com/resf-osv-data/RLSA-2026:9692.json
JSON Data
https://api.test.osv.dev/v1/vulns/RLSA-2026:9692
Upstream
  • CVE-2025-43213
  • CVE-2025-43214
  • CVE-2025-43457
  • CVE-2025-43511
  • CVE-2025-46299
  • CVE-2026-20608
  • CVE-2026-20635
  • CVE-2026-20636
  • CVE-2026-20643
  • CVE-2026-20644
  • CVE-2026-20652
  • CVE-2026-20664
  • CVE-2026-20665
  • CVE-2026-20676
  • CVE-2026-20691
  • CVE-2026-28857
  • CVE-2026-28859
  • CVE-2026-28871
Published
2026-04-24T12:03:31.152911Z
Modified
2026-04-24T12:30:09.697561Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Important: webkit2gtk3 security update
Details

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.

Security Fix(es):

  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43213)

  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43214)

  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43457)

  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43511)

  • webkitgtk: Processing maliciously crafted web content may disclose internal states of the app (CVE-2025-46299)

  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20608)

  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20635)

  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20636)

  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20644)

  • webkitgtk: A remote attacker may be able to cause a denial-of-service (CVE-2026-20652)

  • webkitgtk: A website may be able to track users through Safari web extensions (CVE-2026-20676)

  • webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy (CVE-2026-20643)

  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20664)

  • webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2026-20665)

  • webkitgtk: A maliciously crafted webpage may be able to fingerprint the user (CVE-2026-20691)

  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28857)

  • webkitgtk: A malicious website may be able to process restricted web content outside the sandbox (CVE-2026-28859)

  • webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack (CVE-2026-28871)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References
Credits
    • Rocky Enterprise Software Foundation
    • Red Hat

Affected packages

Rocky Linux:9 / webkit2gtk3

Package

Name
webkit2gtk3
Purl
pkg:rpm/rocky-linux/webkit2gtk3?distro=rocky-linux-9&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:2.52.3-0.el9_7.1
Database specific 
{
    "yum_repository": "AppStream"
}

Database specific

source 
"https://storage.googleapis.com/resf-osv-data/RLSA-2026:9692.json"