SUSE-SU-2026:20102-1

This update for webkit2gtk3 fixes the following issues:

Update to version 2.50.4.

Security issues fixed:

• CVE-2025-13502: processing of maliciously crafted payloads by the GLib remote inspector server may lead to a UIProcess crash due to an out-of-bounds read and an integer underflow (bsc#1254208).
• CVE-2025-13947: use of the file drag-and-drop mechanism may lead to remote information disclosure due to a lack of verification of the origins of drag operations (bsc#1254473).
• CVE-2025-14174: processing maliciously crafted web content may lead to memory corruption due to improper validation (bsc#1255497).
• CVE-2025-43272: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1250439).
• CVE-2025-43342: processing maliciously crafted web content may lead to an unexpected process crash due to a correctness issue and missing checks (bsc#1250440).
• CVE-2025-43343: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1251975).
• CVE-2025-43356: a website may be able to access sensor information without user consent due to improper cache handling (bsc#1250441).
• CVE-2025-43368: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1250442).
• CVE-2025-43392: websites may exfiltrate image data cross-origin due to issues with cache handling (bsc#1254165).
• CVE-2025-43419: processing maliciously crafted web content may lead to memory corruption due to improper memory handling (bsc#1254166).
• CVE-2025-43421: processing maliciously crafted web content may lead to an unexpected process crash due to enabled array allocation sinking (bsc#1254167).
• CVE-2025-43425: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1254168).
• CVE-2025-43427: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254169).
• CVE-2025-43429: processing maliciously crafted web content may lead to an unexpected process crash due to a buffer overflow issue (bsc#1254174).
• CVE-2025-43430: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254172).
• CVE-2025-43431: processing maliciously crafted web content may lead to memory corruption due to improper memory handling (bsc#1254170).
• CVE-2025-43432: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1254171).
• CVE-2025-43434: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1254179).
• CVE-2025-43440: processing maliciously crafted web content may lead to an unexpected process crash due to missing checks (bsc#1254177).
• CVE-2025-43443: processing maliciously crafted web content may lead to an unexpected process crash due to missing checks (bsc#1254176).
• CVE-2025-43458: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254498).
• CVE-2025-43501: processing maliciously crafted web content may lead to an unexpected process crash due to a buffer overflow issue (bsc#1255194).
• CVE-2025-43529: processing maliciously crafted web content may lead to arbitrary code execution due to a use-after-free issue (bsc#1255198).
• CVE-2025-43531: processing maliciously crafted web content may lead to an unexpected process crash due to a race condition (bsc#1255183).
• CVE-2025-43535: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1255195).
• CVE-2025-43536: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1255200).
• CVE-2025-43541: processing maliciously crafted web content may lead to an unexpected process crash due to type confusion (bsc#1255191).
• CVE-2025-66287: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1254509).

Other issues fixed and changes:

• Version 2.50.4:

  • Correctly handle the program name passed to the sleep disabler.
  • Ensure GStreamer is initialized before using the Quirks.
  • Fix several crashes and rendering issues.

• Version 2.50.3:

  • Fix seeking and looping of media elements that set the "loop" property.
  • Fix several crashes and rendering issues.

• Version 2.50.2:

  • Prevent unsafe URI schemes from participating in media playback.
  • Make jscvaluearraybufferget_data() function introspectable.
  • Fix logging in to Google accounts that have a WebAuthn second factor configured.
  • Fix loading webkit://gpu when there are no threads configured for GPU rendering.
  • Fix rendering gradiants that use the CSS hue interpolation method.
  • Fix pasting image data from the clipboard.
  • Fix font-family selection when the font name contains spaces.
  • Fix the build with standard C libraries that lack execinfo.h, like Musl or uClibc.
  • Fix capturing canvas snapshots in the Web Inspector.
  • Fix several crashes and rendering issues.

• Version 2.50.1:

  • Improve text rendering performance.
  • Fix audio playback broken on instagram.
  • Fix rendering of layers with fractional transforms.
  • Fix the build with ENABLE(VIDEO) disabled.
  • Fix the build in s390x.
  • Fix several crashes and rendering issues.

• Version 2.50.0:

  • Improved rendering performance by recording each layer once and replaying every dirty region in different worker threads.
  • Enable damage propagation to the UI process by default.
  • CSS property font-variant-emoji is now enabled by default.
  • Font synthesis properties (bold/italic) are now properly handled.
  • Ensure web view is focused on tap gesture.
  • Added new API to get the theme color of a WebKitWebView.

• Version 2.49.90:

  • Add support for font collection / fragment identifiers.
  • Fix web process deadlock on exit.
  • Fix stuttering when playing WebP animations
  • Fix CSS animations with cubic-bezier timing function.
  • Do not start the MemoryPressureMonitor if it’s disabled
  • Fix several crashes and rendering issues.
  • Updated translations.

• Version 2.48.6:

  • Fix emojis incorrectly rendered in their text variant.
  • Add support for font collection / fragment identifiers.
  • Fix web process deadlock on exit.
  • Fix stuttering when playing WebP animations.
  • Fix CSS animations with cubic-bezier timing function.
  • Do not start the MemoryPressureMonitor if it's disabled.
  • Fix several crashes and rendering issues.

• Fix a11y regression where AT-SPI roles were mapped incorrectly.

• Disable skia on ppc64le.