The Red Hat security advisory RHSA-2026:19535 addresses 18 distinct vulnerabilities in webkit2gtk3, the GTK port of WebKit. These vulnerabilities include multiple causes of unexpected process crashes (CVE-2025-43213, CVE-2025-43214, CVE-2025-43457, CVE-2025-43511, CVE-2026-20608, CVE-2026-20635, CVE-2026-20636, CVE-2026-20644, CVE-2026-20664, CVE-2026-28857), denial-of-service (CVE-2026-20652), information disclosure (CVE-2025-46299), bypass of Same Origin Policy (CVE-2026-20643), prevention of Content Security Policy enforcement (CVE-2026-20665), user tracking via Safari web extensions (CVE-2026-20676), user fingerprinting (CVE-2026-20691), processing restricted content outside sandbox (CVE-2026-28859), and cross-site scripting (CVE-2026-28871). These vulnerabilities stem from processing maliciously crafted web content and affect Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions and related packages. The advisory includes fixes for these issues.

The vulnerabilities may cause unexpected process crashes leading to denial-of-service conditions, disclose internal application states, allow bypass of web security policies such as Same Origin Policy and Content Security Policy, enable user tracking and fingerprinting, and permit cross-site scripting attacks. These impacts can compromise application stability, user privacy, and web security enforcement in affected environments using webkit2gtk3. There are no known exploits in the wild at the time of the advisory.

Red Hat has released updated packages for webkit2gtk3 to address these vulnerabilities as detailed in advisory RHSA-2026:19535. Users and administrators should apply these official security updates promptly to remediate the issues. For detailed update instructions, refer to https://access.redhat.com/articles/11258. No additional mitigation steps are indicated beyond applying the provided patches.