This security advisory from Red Hat addresses a set of 18 vulnerabilities in the webkitgtk4 package used in Red Hat Enterprise Linux 7 Extended Lifecycle Support. The vulnerabilities include multiple instances where processing maliciously crafted web content can cause unexpected crashes (denial-of-service), information disclosure, bypass of security policies such as Same Origin Policy and Content Security Policy, user fingerprinting, cross-site scripting attacks, and sandbox escapes. The advisory references specific CVEs ranging from CVE-2025-43213 through CVE-2026-28871. The issues affect the WebKitGTK+ port of the WebKit engine for GTK+ 3. The advisory provides updated packages to remediate these vulnerabilities.

The vulnerabilities may allow remote attackers to cause denial-of-service conditions via crashes, disclose internal application states, bypass browser security policies, track users through Safari web extensions, fingerprint users, and execute cross-site scripting attacks. These impacts can degrade application stability, compromise user privacy, and weaken web security controls in affected Red Hat Enterprise Linux 7 Extended Lifecycle Support systems using webkitgtk4.

Red Hat has released updated webkitgtk4 packages that address these vulnerabilities. Users of affected Red Hat Enterprise Linux 7 Extended Lifecycle Support systems should apply the security update provided in advisory RHSA-2026:22136 as soon as possible. Detailed update instructions are available at https://access.redhat.com/articles/11258. No indication of alternative mitigations or workarounds is provided, so applying the official update is the recommended remediation.