Red Hat Security Advisory: webkit2gtk3 security update
WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix(es): * webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2026-28946) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28847) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28883) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28901) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28902) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28903) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28904) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28905) * webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2026-28907) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2026-28942) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2026-28947) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28953) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28955) * webkitgtk: An app may be able to access sensitive user data (CVE-2026-28958) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2026-43658) * webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2026-43660) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
AI Analysis
Technical Summary
The Red Hat security advisory RHSA-2026:25918 addresses multiple vulnerabilities in webkit2gtk3, the GTK port of the WebKit engine. The vulnerabilities include numerous instances where processing maliciously crafted web content may cause unexpected crashes in Safari or other processes (CVE-2026-28847, CVE-2026-28883, CVE-2026-28901, CVE-2026-28902, CVE-2026-28903, CVE-2026-28904, CVE-2026-28905, CVE-2026-28942, CVE-2026-28946, CVE-2026-28947, CVE-2026-28953, CVE-2026-28955, CVE-2026-43658). Additionally, some vulnerabilities allow malicious content to prevent Content Security Policy enforcement (CVE-2026-28907, CVE-2026-43660), and one vulnerability may permit an application to access sensitive user data (CVE-2026-28958). These issues are collectively rated as important by Red Hat Product Security, with an overall high severity assessment. The advisory provides updated packages for Red Hat Enterprise Linux 8 and its extended lifecycle variants to remediate these vulnerabilities.
Potential Impact
Exploitation of these vulnerabilities may lead to denial of service through unexpected crashes of Safari or other processes handling web content. Some vulnerabilities can bypass Content Security Policy enforcement, potentially weakening web security controls. One vulnerability may allow an application to access sensitive user data, posing a confidentiality risk. The overall impact includes potential service disruption and data exposure on affected systems running vulnerable versions of webkit2gtk3.
Mitigation Recommendations
Red Hat has released updated webkit2gtk3 packages for Red Hat Enterprise Linux 8 and its extended lifecycle variants to address these vulnerabilities. Users should apply the security update as described in the Red Hat advisory RHSA-2026:25918 available at https://access.redhat.com/errata/RHSA-2026:25918 and follow the update instructions at https://access.redhat.com/articles/11258. Applying these updates will remediate the identified security issues. No additional mitigation steps are indicated by the vendor advisory.
Red Hat Security Advisory: webkit2gtk3 security update
Description
WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix(es): * webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2026-28946) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28847) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28883) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28901) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28902) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28903) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28904) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28905) * webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2026-28907) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2026-28942) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2026-28947) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28953) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28955) * webkitgtk: An app may be able to access sensitive user data (CVE-2026-28958) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2026-43658) * webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2026-43660) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected software
pkg:rpm/redhat/webkit2gtk3Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Red Hat security advisory RHSA-2026:25918 addresses multiple vulnerabilities in webkit2gtk3, the GTK port of the WebKit engine. The vulnerabilities include numerous instances where processing maliciously crafted web content may cause unexpected crashes in Safari or other processes (CVE-2026-28847, CVE-2026-28883, CVE-2026-28901, CVE-2026-28902, CVE-2026-28903, CVE-2026-28904, CVE-2026-28905, CVE-2026-28942, CVE-2026-28946, CVE-2026-28947, CVE-2026-28953, CVE-2026-28955, CVE-2026-43658). Additionally, some vulnerabilities allow malicious content to prevent Content Security Policy enforcement (CVE-2026-28907, CVE-2026-43660), and one vulnerability may permit an application to access sensitive user data (CVE-2026-28958). These issues are collectively rated as important by Red Hat Product Security, with an overall high severity assessment. The advisory provides updated packages for Red Hat Enterprise Linux 8 and its extended lifecycle variants to remediate these vulnerabilities.
Potential Impact
Exploitation of these vulnerabilities may lead to denial of service through unexpected crashes of Safari or other processes handling web content. Some vulnerabilities can bypass Content Security Policy enforcement, potentially weakening web security controls. One vulnerability may allow an application to access sensitive user data, posing a confidentiality risk. The overall impact includes potential service disruption and data exposure on affected systems running vulnerable versions of webkit2gtk3.
Mitigation Recommendations
Red Hat has released updated webkit2gtk3 packages for Red Hat Enterprise Linux 8 and its extended lifecycle variants to address these vulnerabilities. Users should apply the security update as described in the Red Hat advisory RHSA-2026:25918 available at https://access.redhat.com/errata/RHSA-2026:25918 and follow the update instructions at https://access.redhat.com/articles/11258. Applying these updates will remediate the identified security issues. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:25918
- Cve Count
- 16
- Additional Cves
- ["CVE-2026-28883","CVE-2026-28901","CVE-2026-28902","CVE-2026-28903","CVE-2026-28904","CVE-2026-28905","CVE-2026-28907","CVE-2026-28942","CVE-2026-28946","CVE-2026-28947","CVE-2026-28953","CVE-2026-28955","CVE-2026-28958","CVE-2026-43658","CVE-2026-43660"]
- Cvss Version
- null
Threat ID: 6a2fc0030b89be688883c2f7
Added to database: 6/15/2026, 9:04:03 AM
Last enriched: 6/15/2026, 9:04:28 AM
Last updated: 6/15/2026, 10:37:36 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.