Red Hat Product Errata RHSA-2025:23433 - Security Advisory
Issued:
2025-12-17
Updated:
2025-12-17

RHSA-2025:23433 - Security Advisory

Synopsis

Important: webkit2gtk3 security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.

Security Fix(es):

  • webkit: WebKitGTK / WPE WebKit: Out-of-bounds read and integer underflow vulnerability leading to DoS (CVE-2025-13502)
  • webkitgtk: A website may exfiltrate image data cross-origin (CVE-2025-43392)
  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43425)
  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43427)
  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43429)
  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43430)
  • webkitgtk: Processing maliciously crafted web content may lead to memory corruption (CVE-2025-43431)
  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43432)
  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43434)
  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43440)
  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43443)
  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43421)
  • webkit: WebKitGTK: Remote user-assisted information disclosure via file drag-and-drop (CVE-2025-13947)
  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43458)
  • webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-66287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server - AUS 8.2 x86_64

Fixes

  • BZ - 2416300 - CVE-2025-13502 webkit: WebKitGTK / WPE WebKit: Out-of-bounds read and integer underflow vulnerability leading to DoS
  • BZ - 2416325 - CVE-2025-43392 webkitgtk: A website may exfiltrate image data cross-origin
  • BZ - 2416327 - CVE-2025-43425 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
  • BZ - 2416329 - CVE-2025-43427 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
  • BZ - 2416330 - CVE-2025-43429 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
  • BZ - 2416331 - CVE-2025-43430 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
  • BZ - 2416332 - CVE-2025-43431 webkitgtk: Processing maliciously crafted web content may lead to memory corruption
  • BZ - 2416334 - CVE-2025-43432 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
  • BZ - 2416335 - CVE-2025-43434 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
  • BZ - 2416336 - CVE-2025-43440 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
  • BZ - 2416337 - CVE-2025-43443 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
  • BZ - 2416355 - CVE-2025-43421 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
  • BZ - 2418576 - CVE-2025-13947 webkit: WebKitGTK: Remote user-assisted information disclosure via file drag-and-drop
  • BZ - 2418855 - CVE-2025-43458 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
  • BZ - 2418857 - CVE-2025-66287 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash

Red Hat Enterprise Linux Server - AUS 8.2

SRPM
webkit2gtk3-2.50.3-2.el8_2.src.rpm SHA-256: f986ae7dff485afbc9f0c362d6efaf59a66612d4501d1425050e5058f1997fa5
x86_64
webkit2gtk3-2.50.3-2.el8_2.i686.rpm SHA-256: 040e70c65191bbfab67e8b774dfd70ca33c3727df98948c4e56972dce494e134
webkit2gtk3-2.50.3-2.el8_2.x86_64.rpm SHA-256: 22cc1534605eb2a5ed15206e7fe142e9947c063e88f2bed974b1e649d380de37
webkit2gtk3-debuginfo-2.50.3-2.el8_2.i686.rpm SHA-256: ff824aee57e2fab1ea38c4e4cf326fb7953d24487930362c2943ede79b0f8f08
webkit2gtk3-debuginfo-2.50.3-2.el8_2.x86_64.rpm SHA-256: 862430b0e8ece4b49d653a3d9521a4ae2ba29b80e2c3fc45017a592b9b72a618
webkit2gtk3-debugsource-2.50.3-2.el8_2.i686.rpm SHA-256: 6fc289fb632f7f98243b02e6d6603adbc1d295581376784c05996079809ea96c
webkit2gtk3-debugsource-2.50.3-2.el8_2.x86_64.rpm SHA-256: 4264761a49e4f6aac9e1525dc219c03f4c165ac5dd62c6ec5136f5a83b6ddea9
webkit2gtk3-devel-2.50.3-2.el8_2.i686.rpm SHA-256: 78e93b31fcdecdba96f3d568663de5f2060d39c0c759745fb3e0e5e4e06e2e46
webkit2gtk3-devel-2.50.3-2.el8_2.x86_64.rpm SHA-256: 51ca5622235e8a02117346e4109395c3293b837eef90bf5a6c12245dc999af79
webkit2gtk3-devel-debuginfo-2.50.3-2.el8_2.i686.rpm SHA-256: 669deb5b7d7f5a9d66eff23bd885f76aead8be60c957bfda688ad4c0831697f1
webkit2gtk3-devel-debuginfo-2.50.3-2.el8_2.x86_64.rpm SHA-256: 6e35cc490cee2c6a35c857196eddc2864a908abfa795abc16492550c4b12ad09
webkit2gtk3-jsc-2.50.3-2.el8_2.i686.rpm SHA-256: 5325a1b85a17b94897ba6474e5f5d8007c5f8d8d0b2ddc67f8922ba5a5b44061
webkit2gtk3-jsc-2.50.3-2.el8_2.x86_64.rpm SHA-256: 8fcbec23a65c0a9d35a5075dbc708a9921ca6c560561acefe3281ed34f13ffd1
webkit2gtk3-jsc-debuginfo-2.50.3-2.el8_2.i686.rpm SHA-256: 29b3ff607dcfe1e34478c0fc34b33cad898033e563edc51c79109ec4599d4b22
webkit2gtk3-jsc-debuginfo-2.50.3-2.el8_2.x86_64.rpm SHA-256: 5a8c2b118513ac6fa3daac33f9a40470cb7a7cf34a3acfbce6a1b0130a8f3d9b
webkit2gtk3-jsc-devel-2.50.3-2.el8_2.i686.rpm SHA-256: e57ef9b4905fd3d5129de5ed559e386946f328750b2e0052142c7996f7d0a426
webkit2gtk3-jsc-devel-2.50.3-2.el8_2.x86_64.rpm SHA-256: c6109f15ebee6c7bd97336027aabd209ee7e123e668e983c5a17003a2d10ac71
webkit2gtk3-jsc-devel-debuginfo-2.50.3-2.el8_2.i686.rpm SHA-256: 2a1df79c43391e243cf82a9f57e027df078ea6e3e40167639ce16d8515147ca2
webkit2gtk3-jsc-devel-debuginfo-2.50.3-2.el8_2.x86_64.rpm SHA-256: f35b404e764f2478d61c76bf515bf96d1936d91a309d8538916a1cadddeddf53

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.