The Red Hat security advisory RHSA-2026:19206 addresses 18 vulnerabilities in webkit2gtk3, the GTK port of WebKit. The flaws include multiple instances where processing maliciously crafted web content can cause unexpected crashes (CVE-2025-43213, CVE-2025-43214, CVE-2025-43457, CVE-2025-43511, CVE-2026-20608, CVE-2026-20635, CVE-2026-20636, CVE-2026-20644, CVE-2026-20664, CVE-2026-28857), denial-of-service (CVE-2026-20652), information disclosure (CVE-2025-46299), bypass of Same Origin Policy (CVE-2026-20643), prevention of Content Security Policy enforcement (CVE-2026-20665), user tracking via Safari web extensions (CVE-2026-20676), user fingerprinting (CVE-2026-20691), sandbox escape (CVE-2026-28859), and cross-site scripting (CVE-2026-28871). These vulnerabilities affect Red Hat Enterprise Linux 9 and related variants. The advisory references bugzilla entries and CVE pages for detailed impact and scoring information.

Exploitation of these vulnerabilities may lead to denial-of-service conditions via process crashes, unauthorized disclosure of internal application states, bypass of critical web security policies (Same Origin Policy and Content Security Policy), user tracking and fingerprinting, sandbox escapes allowing processing of restricted content, and cross-site scripting attacks. These impacts can compromise the confidentiality, integrity, and availability of affected systems running webkit2gtk3 on Red Hat Enterprise Linux 9.

Red Hat has released an important security update for webkit2gtk3 in Red Hat Enterprise Linux 9 addressing all listed vulnerabilities. Users and administrators should apply the update as detailed in the Red Hat advisory RHSA-2026:19206 and the referenced article https://access.redhat.com/articles/11258. No additional mitigation steps are indicated beyond applying the official update.