OPENSUSE-SU-2026:20065-1
Vulnerability Summary
Timeline
Description
Security update for webkit2gtk3 This update for webkit2gtk3 fixes the following issues: Update to version 2.50.4. Security issues fixed: - CVE-2025-13502: processing of maliciously crafted payloads by the GLib remote inspector server may lead to a UIProcess crash due to an out-of-bounds read and an integer underflow (bsc#1254208). - CVE-2025-13947: use of the file drag-and-drop mechanism may lead to remote information disclosure due to a lack of verification of the origins of drag operations (bsc#1254473). - CVE-2025-14174: processing maliciously crafted web content may lead to memory corruption due to improper validation (bsc#1255497). - CVE-2025-43272: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1250439). - CVE-2025-43342: processing maliciously crafted web content may lead to an unexpected process crash due to a correctness issue and missing checks (bsc#1250440). - CVE-2025-43343: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1251975). - CVE-2025-43356: a website may be able to access sensor information without user consent due to improper cache handling (bsc#1250441). - CVE-2025-43368: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1250442). - CVE-2025-43392: websites may exfiltrate image data cross-origin due to issues with cache handling (bsc#1254165). - CVE-2025-43419: processing maliciously crafted web content may lead to memory corruption due to improper memory handling (bsc#1254166). - CVE-2025-43421: processing maliciously crafted web content may lead to an unexpected process crash due to enabled array allocation sinking (bsc#1254167). - CVE-2025-43425: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1254168). - CVE-2025-43427: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254169). - CVE-2025-43429: processing maliciously crafted web content may lead to an unexpected process crash due to a buffer overflow issue (bsc#1254174). - CVE-2025-43430: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254172). - CVE-2025-43431: processing maliciously crafted web content may lead to memory corruption due to improper memory handling (bsc#1254170). - CVE-2025-43432: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1254171). - CVE-2025-43434: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1254179). - CVE-2025-43440: processing maliciously crafted web content may lead to an unexpected process crash due to missing checks (bsc#1254177). - CVE-2025-43443: processing maliciously crafted web content may lead to an unexpected process crash due to missing checks (bsc#1254176). - CVE-2025-43458: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254498). - CVE-2025-43501: processing maliciously crafted web content may lead to an unexpected process crash due to a buffer overflow issue (bsc#1255194). - CVE-2025-43529: processing maliciously crafted web content may lead to arbitrary code execution due to a use-after-free issue (bsc#1255198). - CVE-2025-43531: processing maliciously crafted web content may lead to an unexpected process crash due to a race condition (bsc#1255183). - CVE-2025-43535: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1255195). - CVE-2025-43536: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1255200). - CVE-2025-43541: processing maliciously crafted web content may lead to an unexpected process crash due to type confusion (bsc#1255191). - CVE-2025-66287: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1254509). Other issues fixed and changes: - Version 2.50.4: * Correctly handle the program name passed to the sleep disabler. * Ensure GStreamer is initialized before using the Quirks. * Fix several crashes and rendering issues. - Version 2.50.3: * Fix seeking and looping of media elements that set the "loop" property. * Fix several crashes and rendering issues. - Version 2.50.2: * Prevent unsafe URI schemes from participating in media playback. * Make jsc_value_array_buffer_get_data() function introspectable. * Fix logging in to Google accounts that have a WebAuthn second factor configured. * Fix loading webkit://gpu when there are no threads configured for GPU rendering. * Fix rendering gradiants that use the CSS hue interpolation method. * Fix pasting image data from the clipboard. * Fix font-family selection when the font name contains spaces. * Fix the build with standard C libraries that lack execinfo.h, like Musl or uClibc. * Fix capturing canvas snapshots in the Web Inspector. * Fix several crashes and rendering issues. - Version 2.50.1: * Improve text rendering performance. * Fix audio playback broken on instagram. * Fix rendering of layers with fractional transforms. * Fix the build with ENABLE(VIDEO) disabled. * Fix the build in s390x. * Fix several crashes and rendering issues. - Version 2.50.0: * Improved rendering performance by recording each layer once and replaying every dirty region in different worker threads. * Enable damage propagation to the UI process by default. * CSS property font-variant-emoji is now enabled by default. * Font synthesis properties (bold/italic) are now properly handled. * Ensure web view is focused on tap gesture. * Added new API to get the theme color of a WebKitWebView. - Version 2.49.90: * Add support for font collection / fragment identifiers. * Fix web process deadlock on exit. * Fix stuttering when playing WebP animations * Fix CSS animations with cubic-bezier timing function. * Do not start the MemoryPressureMonitor if it’s disabled * Fix several crashes and rendering issues. * Updated translations. - Version 2.48.6: * Fix emojis incorrectly rendered in their text variant. * Add support for font collection / fragment identifiers. * Fix web process deadlock on exit. * Fix stuttering when playing WebP animations. * Fix CSS animations with cubic-bezier timing function. * Do not start the MemoryPressureMonitor if it's disabled. * Fix several crashes and rendering issues. - Fix a11y regression where AT-SPI roles were mapped incorrectly. - Disable skia on ppc64le.
Affected Systems
- opensuse•webkit2gtk3-soup2&distro=openSUSE Leap 16.0
< 2.50.4-160000.1.1
- opensuse•webkit2gtk3&distro=openSUSE Leap 16.0
< 2.50.4-160000.1.1
- opensuse•webkit2gtk4&distro=openSUSE Leap 16.0
< 2.50.4-160000.1.1
References (60)
- https://bugzilla.suse.com/1250439
- https://bugzilla.suse.com/1250440
- https://bugzilla.suse.com/1250441
- https://bugzilla.suse.com/1250442
- https://bugzilla.suse.com/1251975
- https://bugzilla.suse.com/1254164
- https://bugzilla.suse.com/1254165
- https://bugzilla.suse.com/1254166
- https://bugzilla.suse.com/1254167
- https://bugzilla.suse.com/1254168
- https://bugzilla.suse.com/1254169
- https://bugzilla.suse.com/1254170
- https://bugzilla.suse.com/1254171
- https://bugzilla.suse.com/1254172
- https://bugzilla.suse.com/1254174
- https://bugzilla.suse.com/1254175
- https://bugzilla.suse.com/1254176
- https://bugzilla.suse.com/1254177
- https://bugzilla.suse.com/1254179
- https://bugzilla.suse.com/1254208
- https://bugzilla.suse.com/1254473
- https://bugzilla.suse.com/1254498
- https://bugzilla.suse.com/1254509
- https://bugzilla.suse.com/1255183
- https://bugzilla.suse.com/1255191
- https://bugzilla.suse.com/1255194
- https://bugzilla.suse.com/1255195
- https://bugzilla.suse.com/1255198
- https://bugzilla.suse.com/1255200
- https://bugzilla.suse.com/1255497
- https://www.suse.com/security/cve/CVE-2023-43000
- https://www.suse.com/security/cve/CVE-2025-13502
- https://www.suse.com/security/cve/CVE-2025-13947
- https://www.suse.com/security/cve/CVE-2025-14174
- https://www.suse.com/security/cve/CVE-2025-43272
- https://www.suse.com/security/cve/CVE-2025-43342
- https://www.suse.com/security/cve/CVE-2025-43343
- https://www.suse.com/security/cve/CVE-2025-43356
- https://www.suse.com/security/cve/CVE-2025-43368
- https://www.suse.com/security/cve/CVE-2025-43392
- https://www.suse.com/security/cve/CVE-2025-43419
- https://www.suse.com/security/cve/CVE-2025-43421
- https://www.suse.com/security/cve/CVE-2025-43425
- https://www.suse.com/security/cve/CVE-2025-43427
- https://www.suse.com/security/cve/CVE-2025-43429
- https://www.suse.com/security/cve/CVE-2025-43430
- https://www.suse.com/security/cve/CVE-2025-43431
- https://www.suse.com/security/cve/CVE-2025-43432
- https://www.suse.com/security/cve/CVE-2025-43434
- https://www.suse.com/security/cve/CVE-2025-43440
- https://www.suse.com/security/cve/CVE-2025-43443
- https://www.suse.com/security/cve/CVE-2025-43458
- https://www.suse.com/security/cve/CVE-2025-43480
- https://www.suse.com/security/cve/CVE-2025-43501
- https://www.suse.com/security/cve/CVE-2025-43529
- https://www.suse.com/security/cve/CVE-2025-43531
- https://www.suse.com/security/cve/CVE-2025-43535
- https://www.suse.com/security/cve/CVE-2025-43536
- https://www.suse.com/security/cve/CVE-2025-43541
- https://www.suse.com/security/cve/CVE-2025-66287