Home / mailingsPDF  

[SECURITY] [DSA 6232-1] webkit2gtk security update

Posted on 28 April 2026
Debian Security Advisory

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6232-1 security@debian.org
https://www.debian.org/security/ Alberto Garcia
April 28, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : webkit2gtk
CVE ID : CVE-2025-46299 CVE-2026-20643 CVE-2026-20664 CVE-2026-20665
CVE-2026-20691 CVE-2026-28857 CVE-2026-28859 CVE-2026-28861
CVE-2026-28871

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2025-46299

Google Big Sleep discovered that processing maliciously crafted
web content may disclose internal states of the app.

CVE-2026-20643

Thomas Espach discovered that processing maliciously crafted web
content may bypass Same Origin Policy.

CVE-2026-20664

Daniel Rhea, Soehnke Benedikt Fischedick, Emrovsky & Switch, and
Yevhen Pervushyn discovered that processing maliciously crafted
web content may lead to an unexpected process crash

CVE-2026-20665

webb discovered that processing maliciously crafted web content
may prevent Content Security Policy from being enforced.

CVE-2026-20691

Gongyu Ma discovered that a maliciously crafted webpage may be
able to fingerprint the user.

CVE-2026-28857

Narcis Oliveras Fontas, Soehnke Benedikt Fischedick, Daniel Rhea,
and Nathaniel Oh discovered that processing maliciously crafted
web content may lead to an unexpected process crash.

CVE-2026-28859

greenbynox and Arni Hardarson discovered that a malicious website
may be able to process restricted web content outside the sandbox.

CVE-2026-28861

Hongze Wu and Shuaike Dong discovered that a malicious website may
be able to access script message handlers intended for other
origins.

CVE-2026-28871

@hamayanhamayan discovered that visiting a maliciously crafted
website may lead to a cross- site scripting attack.

Starting from version 2.52.0, WebKitGTK can no longer be backported to
the oldstable distribution (bookworm). Because of that, the webkit2gtk
packages are no longer covered by security support in bookworm.

For the stable distribution (trixie), these problems have been fixed in
version 2.52.1-1~deb13u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

 

TOP

Mailings :

Exploits :