Red Hat Product Security has published an important security advisory for webkit2gtk3, addressing 18 distinct vulnerabilities (CVE-2025-43213 through CVE-2026-28871) in the WebKitGTK engine. The vulnerabilities include multiple causes of unexpected process crashes, denial-of-service, information disclosure, bypass of Same Origin Policy and Content Security Policy, user tracking and fingerprinting, cross-site scripting, and sandbox escape. These issues result from processing maliciously crafted web content or websites. The advisory covers Red Hat Enterprise Linux 9.4 Extended Update Support and related variants. Red Hat provides updated packages to fix these vulnerabilities, and detailed remediation instructions are available in their advisory RHSA-2026:14659.

The vulnerabilities may lead to denial-of-service through process crashes, information disclosure of internal application states, bypass of critical web security policies (Same Origin Policy and Content Security Policy), user tracking and fingerprinting, cross-site scripting attacks, and sandbox escapes allowing processing of restricted web content. These impacts can compromise the confidentiality, integrity, and availability of affected systems running the vulnerable webkit2gtk3 packages.

Red Hat has released updated webkit2gtk3 packages as part of advisory RHSA-2026:14659 to address these vulnerabilities. Users of affected Red Hat Enterprise Linux 9.4 Extended Update Support and related products should apply these official security updates promptly. For detailed instructions on applying the update, refer to https://access.redhat.com/articles/11258. There are no indications that these issues are mitigated by default or require additional configuration beyond applying the update.