The Red Hat security advisory RHSA-2026:10702 addresses 18 distinct vulnerabilities in webkit2gtk3, a GTK port of the WebKit engine. The flaws include multiple causes of unexpected process crashes (CVE-2025-43213, CVE-2025-43214, CVE-2025-43457, CVE-2025-43511, CVE-2026-20608, CVE-2026-20635, CVE-2026-20636, CVE-2026-20644, CVE-2026-20664, CVE-2026-28857), information disclosure (CVE-2025-46299), denial-of-service (CVE-2026-20652), tracking via Safari web extensions (CVE-2026-20676), bypass of Same Origin Policy (CVE-2026-20643), prevention of Content Security Policy enforcement (CVE-2026-20665), user fingerprinting (CVE-2026-20691), sandbox escape allowing processing of restricted content (CVE-2026-28859), and cross-site scripting (CVE-2026-28871). These vulnerabilities stem from processing maliciously crafted web content or websites. The advisory covers Red Hat Enterprise Linux 8 and related variants, and Red Hat has released updated packages to remediate these issues.

The vulnerabilities can lead to unexpected crashes of Safari or other processes using webkit2gtk3, potentially causing denial-of-service conditions. Some flaws allow disclosure of internal application states, bypassing of web security policies (Same Origin Policy and Content Security Policy), user tracking and fingerprinting, sandbox escapes to access restricted content, and cross-site scripting attacks. These impacts can compromise application stability, user privacy, and web security enforcement mechanisms.

Red Hat has released updated webkit2gtk3 packages for Red Hat Enterprise Linux 8 to address these vulnerabilities. Users should apply the security update as described in Red Hat advisory RHSA-2026:10702 and the referenced article https://access.redhat.com/articles/11258. Applying the official patch fully mitigates the described issues. There is no indication that no action is required or that the issues are already mitigated without patching.