Red Hat Product Security has released an important security advisory (RHSA-2026:11329) addressing 18 vulnerabilities in webkit2gtk3, the GTK port of the WebKit engine. The vulnerabilities include multiple instances where processing maliciously crafted web content can cause unexpected crashes (CVE-2025-43213, CVE-2025-43214, CVE-2025-43457, CVE-2025-43511, CVE-2026-20608, CVE-2026-20635, CVE-2026-20636, CVE-2026-20644, CVE-2026-20664, CVE-2026-28857), denial-of-service (CVE-2026-20652), information disclosure (CVE-2025-46299), bypass of Same Origin Policy (CVE-2026-20643), prevention of Content Security Policy enforcement (CVE-2026-20665), user tracking via Safari web extensions (CVE-2026-20676), user fingerprinting (CVE-2026-20691), processing restricted content outside the sandbox (CVE-2026-28859), and cross-site scripting (CVE-2026-28871). These vulnerabilities affect Red Hat Enterprise Linux 9.6 Extended Update Support and related packages. The advisory provides links to patches and instructions for remediation.

The vulnerabilities can lead to unexpected process crashes causing denial-of-service conditions, potential information disclosure of internal application states, bypass of critical web security policies (Same Origin Policy and Content Security Policy), user tracking and fingerprinting, and cross-site scripting attacks. These impacts can compromise the confidentiality, integrity, and availability of affected systems running webkit2gtk3 on Red Hat Enterprise Linux 9.6 Extended Update Support. No known exploits in the wild have been reported at this time.

Red Hat has released updated packages for webkit2gtk3 that address all listed vulnerabilities. Users of affected Red Hat Enterprise Linux 9.6 Extended Update Support versions should apply these official updates promptly to remediate the issues. Detailed instructions for applying the update are available at https://access.redhat.com/articles/11258. No additional mitigation steps are indicated by the vendor advisory.