webkit2gtk3-2.52.3-1.el8_10.ML.1

エラータID: AXSA:2026-546:02

Release date: 
Thursday, May 7, 2026 - 09:16
Subject: 
webkit2gtk3-2.52.3-1.el8_10.ML.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.

Security Fix(es):

* webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43213)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43214)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43457)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43511)
* webkitgtk: Processing maliciously crafted web content may disclose internal states of the app (CVE-2025-46299)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20608)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20635)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20636)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20644)
* webkitgtk: A remote attacker may be able to cause a denial-of-service (CVE-2026-20652)
* webkitgtk: A website may be able to track users through Safari web extensions (CVE-2026-20676)
* webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy (CVE-2026-20643)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20664)
* webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2026-20665)
* webkitgtk: A maliciously crafted webpage may be able to fingerprint the user (CVE-2026-20691)
* webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28857)
* webkitgtk: A malicious website may be able to process restricted web content outside the sandbox (CVE-2026-28859)
* webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack (CVE-2026-28871)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-43213
The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted web content may lead to an unexpected Safari crash.
CVE-2025-43214
The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted web content may lead to an unexpected Safari crash.
CVE-2025-43457
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. Processing maliciously crafted web content may lead to an unexpected Safari crash.
CVE-2025-43511
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.2, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-46299
A memory initialization issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may disclose internal states of the app.
CVE-2026-20608
This issue was addressed through improved state management. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-20635
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-20636
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-20643
A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may bypass Same Origin Policy.
CVE-2026-20644
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-20652
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A remote attacker may be able to cause a denial-of-service.
CVE-2026-20664
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-20665
This issue was addressed through improved state management. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
CVE-2026-20676
This issue was addressed through improved state management. This issue is fixed in Safari 26.3, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A website may be able to track users through Safari web extensions.
CVE-2026-20691
An authorization issue was addressed with improved state management. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. A maliciously crafted webpage may be able to fingerprint the user.
CVE-2026-28857
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-28859
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. A malicious website may be able to process restricted web content outside the sandbox.
CVE-2026-28871
A logic issue was addressed with improved checks. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4. Visiting a maliciously crafted website may lead to a cross-site scripting attack.

Solution: 

Update packages.

CVEs: 
CVE-2025-43213
The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted web content may lead to an unexpected Safari crash.
CVE-2025-43214
The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted web content may lead to an unexpected Safari crash.
CVE-2025-43457
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. Processing maliciously crafted web content may lead to an unexpected Safari crash.
CVE-2025-43511
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.2, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2025-46299
A memory initialization issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may disclose internal states of the app.
CVE-2026-20608
This issue was addressed through improved state management. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-20635
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-20636
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-20643
A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may bypass Same Origin Policy.
CVE-2026-20644
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-20652
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A remote attacker may be able to cause a denial-of-service.
CVE-2026-20664
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-20665
This issue was addressed through improved state management. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
CVE-2026-20676
This issue was addressed through improved state management. This issue is fixed in Safari 26.3, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A website may be able to track users through Safari web extensions.
CVE-2026-20691
An authorization issue was addressed with improved state management. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. A maliciously crafted webpage may be able to fingerprint the user.
CVE-2026-28857
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may lead to an unexpected process crash.
CVE-2026-28859
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. A malicious website may be able to process restricted web content outside the sandbox.
CVE-2026-28871
A logic issue was addressed with improved checks. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4. Visiting a maliciously crafted website may lead to a cross-site scripting attack.
Additional Info: 

N/A

Download: 

SRPMS
  1. webkit2gtk3-2.52.3-1.el8_10.ML.1.src.rpm
    MD5: 3f7498208ac374d96bc37a96b64e039c
    SHA-256: 21c7b7abe096b551cec2c186d0d38b37e9ae3f678ff0d576e1d12ff01d0c68a2
    Size: 62.13 MB

Asianux Server 8 for x86_64
  1. webkit2gtk3-2.52.3-1.el8_10.ML.1.i686.rpm
    MD5: 7c5d5688a520f94f618f96b472099585
    SHA-256: ddcce1b77f52d416e204969d81c37a7bd8373a5f0f45138aed9e783e1ef8a999
    Size: 28.42 MB
  2. webkit2gtk3-2.52.3-1.el8_10.ML.1.x86_64.rpm
    MD5: dc225f0a01839f887da1157031fa0b23
    SHA-256: 9b171f3ac6ca8dbec9d6ac640521cbec24e303f7e664995c3f886337e2196abc
    Size: 28.36 MB
  3. webkit2gtk3-devel-2.52.3-1.el8_10.ML.1.i686.rpm
    MD5: 254c11f85d53df11af1f1bc7a722ae39
    SHA-256: 943360e95ecef41d71e34d1c83ae6a6c5a0b8e91b6e1e9db6e5597c521f8f94a
    Size: 309.66 kB
  4. webkit2gtk3-devel-2.52.3-1.el8_10.ML.1.x86_64.rpm
    MD5: 505328b0fd1e74e6bc9cc87b4e6157bb
    SHA-256: 061ccc8699d2f5ff0253710ba69c459eabd287f261efc1b33f2b24237decd41f
    Size: 311.33 kB
  5. webkit2gtk3-jsc-2.52.3-1.el8_10.ML.1.i686.rpm
    MD5: 8756449161b9f6c1d002ab984adbad1e
    SHA-256: 443bb9e0a171aca2ab4aa7053c1b023e663c0570d52f63a19a83e32a5ae5d7e2
    Size: 4.30 MB
  6. webkit2gtk3-jsc-2.52.3-1.el8_10.ML.1.x86_64.rpm
    MD5: 41c1cc3410185f1e3091fdf1957e58bc
    SHA-256: 997fc5e8801b33d4165131854729846836f50d8f639dbb9ebf463c4409799a44
    Size: 8.55 MB
  7. webkit2gtk3-jsc-devel-2.52.3-1.el8_10.ML.1.i686.rpm
    MD5: aa84c8bb25326eba06876a692b839b46
    SHA-256: e8b57a47f20d1cb801bbe783548f55a57d2efe99f52613f2a255c35d7b4e00c3
    Size: 168.31 kB
  8. webkit2gtk3-jsc-devel-2.52.3-1.el8_10.ML.1.x86_64.rpm
    MD5: 05ce4bd5aff995ac70466cf08feebe67
    SHA-256: b98821ddc01ed3b5f3a8a778385bb55d8bf132359d0e1de0ede903d40a67788e
    Size: 167.14 kB