This advisory covers 18 distinct vulnerabilities in webkit2gtk3, a GTK port of WebKit, impacting Red Hat Enterprise Linux 9.2 and related distributions. The vulnerabilities include multiple causes of unexpected process crashes (CVE-2025-43213, CVE-2025-43214, CVE-2025-43457, CVE-2025-43511, CVE-2026-20608, CVE-2026-20635, CVE-2026-20636, CVE-2026-20644, CVE-2026-20664, CVE-2026-28857), denial-of-service (CVE-2026-20652), information disclosure (CVE-2025-46299), bypass of Same Origin Policy (CVE-2026-20643), prevention of Content Security Policy enforcement (CVE-2026-20665), user tracking via Safari web extensions (CVE-2026-20676), user fingerprinting (CVE-2026-20691), processing restricted content outside sandbox (CVE-2026-28859), and cross-site scripting (CVE-2026-28871). These vulnerabilities stem from processing maliciously crafted web content or websites. Red Hat has released updated packages to address these issues.

The vulnerabilities can cause unexpected crashes of Safari or other processes using webkit2gtk3, potentially leading to denial-of-service conditions. Some issues allow disclosure of internal application states, bypassing of security policies like Same Origin Policy and Content Security Policy, enabling user tracking and fingerprinting, and cross-site scripting attacks. These impacts can compromise application stability, user privacy, and security enforcement mechanisms.

Red Hat has released an important security update for webkit2gtk3 in Red Hat Enterprise Linux 9.2 and related products. Users should apply the update as detailed in the Red Hat advisory (https://access.redhat.com/articles/11258) to remediate these vulnerabilities. No indication is given that the issues are already mitigated or require no action. Patch status is confirmed by the vendor advisory as an official fix.