webkit2gtk3-2.50.3-1.el9_7

エラータID: AXSA:2025-11554:21

Release date: 
Thursday, December 18, 2025 - 18:56
Subject: 
webkit2gtk3-2.50.3-1.el9_7
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.

Security Fix(es):

* webkit: WebKitGTK / WPE WebKit: Out-of-bounds read and integer underflow vulnerability leading to DoS (CVE-2025-13502)
* webkitgtk: Processing maliciously crafted web content may lead to memory corruption (CVE-2023-43000)
* webkitgtk: A website may exfiltrate image data cross-origin (CVE-2025-43392)
* webkitgtk: Processing maliciously crafted web content may lead to memory corruption (CVE-2025-43419)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43425)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43427)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43429)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43430)
* webkitgtk: Processing maliciously crafted web content may lead to memory corruption (CVE-2025-43431)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43432)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43434)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43440)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43443)
* webkitgtk: A malicious website may exfiltrate data cross-origin (CVE-2025-43480)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43421)
* webkit: WebKitGTK: Remote user-assisted information disclosure via file drag-and-drop (CVE-2025-13947)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43458)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-66287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-43000
A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.5, iOS 16.6 and iPadOS 16.6, Safari 16.6. Processing maliciously crafted web content may lead to memory corruption.
CVE-2025-13502
A flaw was found in WebKitGTK and WPE WebKit. This vulnerability allows an out-of-bounds read and integer underflow, leading to a UIProcess crash (DoS) via a crafted payload to the GLib remote inspector server.
CVE-2025-13947
A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside the browser.
CVE-2025-43392
The issue was addressed with improved handling of caches. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. A website may exfiltrate image data cross-origin.
CVE-2025-43419
The issue was addressed with improved memory handling. This issue is fixed in Safari 26, tvOS 26, watchOS 26, iOS 26 and iPadOS 26, visionOS 26. Processing maliciously crafted web content may lead to memory corruption.
CVE-2025-43421
Multiple issues were addressed by disabling array allocation sinking. This issue is fixed in iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43425
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1 and iPadOS 26.1, tvOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43427
This issue was addressed through improved state management. This issue is fixed in iOS 26.1 and iPadOS 26.1, tvOS 26.1, Safari 26.1, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43429
A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43430
This issue was addressed through improved state management. This issue is fixed in Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1 and iPadOS 26.1, tvOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43431
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Processing maliciously crafted web content may lead to memory corruption.
CVE-2025-43432
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1 and iPadOS 26.1, tvOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43434
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
CVE-2025-43440
This issue was addressed with improved checks This issue is fixed in Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1 and iPadOS 26.1, tvOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43443
This issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43458
This issue was addressed through improved state management. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43480
The issue was addressed with improved checks. This issue is fixed in Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1 and iPadOS 26.1, tvOS 26.1. A malicious website may exfiltrate data cross-origin.
CVE-2025-66287
A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling.

Solution: 

Update packages.

CVEs: 
CVE-2023-43000
A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13.5, iOS 16.6 and iPadOS 16.6, Safari 16.6. Processing maliciously crafted web content may lead to memory corruption.
CVE-2025-13502
A flaw was found in WebKitGTK and WPE WebKit. This vulnerability allows an out-of-bounds read and integer underflow, leading to a UIProcess crash (DoS) via a crafted payload to the GLib remote inspector server.
CVE-2025-13947
A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside the browser.
CVE-2025-43392
The issue was addressed with improved handling of caches. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, visionOS 26.1. A website may exfiltrate image data cross-origin.
CVE-2025-43419
The issue was addressed with improved memory handling. This issue is fixed in Safari 26, tvOS 26, watchOS 26, iOS 26 and iPadOS 26, visionOS 26. Processing maliciously crafted web content may lead to memory corruption.
CVE-2025-43421
Multiple issues were addressed by disabling array allocation sinking. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1, Safari 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43425
The issue was addressed with improved memory handling. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43427
This issue was addressed through improved state management. This issue is fixed in tvOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43429
A buffer overflow was addressed with improved bounds checking. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43430
This issue was addressed through improved state management. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43431
The issue was addressed with improved memory handling. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, visionOS 26.1. Processing maliciously crafted web content may lead to memory corruption.
CVE-2025-43432
A use-after-free issue was addressed with improved memory management. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43434
A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected Safari crash.
CVE-2025-43440
This issue was addressed with improved checks This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43443
This issue was addressed with improved checks. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43458
This issue was addressed through improved state management. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, visionOS 26.1. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-43480
The issue was addressed with improved checks. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, visionOS 26.1. A malicious website may exfiltrate data cross-origin.
CVE-2025-66287
A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling.
Additional Info: 

N/A

Download: 

SRPMS
  1. webkit2gtk3-2.50.3-1.el9_7.src.rpm
    MD5: 9096fb1889c21a69299365412aae65ba
    SHA-256: ba260bc543c171c2d4e075b89ba494c79d106200d44bd722bb47df5ad6fd6030
    Size: 41.79 MB

Asianux Server 9 for x86_64
  1. webkit2gtk3-2.50.3-1.el9_7.i686.rpm
    MD5: 51fa6f475e1522342baa11b89bdbe91e
    SHA-256: d8cfa41bbca3486880ced4a23f5e22c8fa91db95f8043dc1b5f65d81d46666eb
    Size: 26.66 MB
  2. webkit2gtk3-2.50.3-1.el9_7.x86_64.rpm
    MD5: f7f0a7dad6762d616e2e920eb861e103
    SHA-256: f2fb0396188aa260950440976d6f8037057dbbc0591798aedbefd2c9029b9360
    Size: 27.41 MB
  3. webkit2gtk3-devel-2.50.3-1.el9_7.i686.rpm
    MD5: 78b2a55bb8b6382a1e22d30cf0aab81c
    SHA-256: f85da74a837e9f52bd886639a811e7fd8212c3948dc67c16d4fe173bb3a6e398
    Size: 370.98 kB
  4. webkit2gtk3-devel-2.50.3-1.el9_7.x86_64.rpm
    MD5: c868cccffaf8697a5008011d43ea9897
    SHA-256: 4dad04c8dd3fb55a5818c5dc179740adc2b922adf6eb91450c099e577fe9a827
    Size: 369.60 kB
  5. webkit2gtk3-jsc-2.50.3-1.el9_7.i686.rpm
    MD5: 1821d2b32e8edef3a56547185a9eb153
    SHA-256: 12f3895d0429c7060db5fd4513ebf26238b7194c18409ad2540463e6df405e40
    Size: 3.97 MB
  6. webkit2gtk3-jsc-2.50.3-1.el9_7.x86_64.rpm
    MD5: 066cc81a03d16e543e7034b37bb769c4
    SHA-256: bd87f7697b60edf9d812fc8d3de195c37c8dc4a119f8785985d4ab32f97b9581
    Size: 8.61 MB
  7. webkit2gtk3-jsc-devel-2.50.3-1.el9_7.i686.rpm
    MD5: 2e6bc2255e566547f11150cc5aa47f93
    SHA-256: 633b058e36e33d139590ebd7307cf565492568769281a2d2f7b4c1edde37770e
    Size: 170.78 kB
  8. webkit2gtk3-jsc-devel-2.50.3-1.el9_7.x86_64.rpm
    MD5: 3e622633706a2d3bb9ab74e17aa3ac57
    SHA-256: 9fe8e0ae13690d399aa816da888faf22df887f54a67aed1e2eaaf62f66e05fd2
    Size: 160.69 kB