Topic: An update for webkitgtk4 is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

---

Details: WebKitGTK+ is port of the WebKit portable web rendering engine to the GTK+ platform. These packages provide WebKitGTK+ for GTK+ 3. Security Fix(es): * webkitgtk: Command injection in web inspector (CVE-2020-9862) * webkitgtk: Use-after-free may lead to application termination or arbitrary code execution (CVE-2020-9893) * webkitgtk: Out-of-bounds read may lead to unexpected application termination or arbitrary code execution (CVE-2020-9894) * webkitgtk: Use-after-free may lead to application termination or arbitrary code execution (CVE-2020-9895) * webkitgtk: Access issue in content security policy (CVE-2020-9915) * webkitgtk: A logic issue may lead to cross site scripting (CVE-2020-9925) * webkitgtk: Logic issue may lead to arbitrary code execution (CVE-2020-9802) * webkitgtk: Memory corruption may lead to arbitrary code execution (CVE-2020-9803) * webkitgtk: Logic issue may lead to cross site scripting (CVE-2020-9805) * webkitgtk: Memory corruption may lead to arbitrary code execution (CVE-2020-9806) * webkitgtk: Memory corruption may lead to arbitrary code execution (CVE-2020-9807) * webkitgtk: Input validation issue may lead to cross site scripting (CVE-2020-9843) * webkitgtk: Logic issue may lead to arbitrary code execution (CVE-2020-9850) * webkitgtk: Improper access management to CLONE_NEWUSER and the TIOCSTI ioctl (CVE-2020-13753) * webkitgtk: use-after-free may lead to arbitrary code execution (CVE-2020-13584) * webkitgtk: type confusion may lead to arbitrary code execution (CVE-2020-9948) * webkitgtk: use-after-free may lead to arbitrary code execution (CVE-2020-9951) * webkitgtk: input validation issue may lead to a cross site scripting (CVE-2020-9952) * webkitgtk: out-of-bounds write may lead to code execution (CVE-2020-9983) * webkitgtk: use-after-free may lead to arbitrary code execution (CVE-2020-13543) * webkitgtk: Use-after-free in AudioSourceProviderGStreamer leading to arbitrary code execution (CVE-2020-13558) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2020-27918) * webkitgtk: User may be unable to fully delete browsing history (CVE-2020-29623) * webkitgtk: use after free issue may lead to arbitrary code execution (CVE-2020-9947) * webkitgtk: IFrame sandboxing policy violation (CVE-2021-1765) * webkitgtk: Type confusion issue leading to arbitrary code execution (CVE-2021-1789) * webkitgtk: Access to restricted ports on arbitrary servers via port redirection (CVE-2021-1799) * webkitgtk: IFrame sandboxing policy violation (CVE-2021-1801) * webkitgtk: Logic issue leading to arbitrary code execution (CVE-2021-1870) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-1788) * webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2021-1844) * webkitgtk: Logic issue leading to arbitrary code execution (CVE-2021-1871) * webkitgtk: Use-after-free in fireEventListeners leading to arbitrary code execution (CVE-2021-21806) * webkitgtk: Memory corruption leading to arbitrary code execution (CVE-2021-1817) * webkitgtk: Memory initialization issue possibly leading to memory disclosure (CVE-2021-1820) * webkitgtk: Input validation issue leading to cross site scripting attack (CVE-2021-1825) * webkitgtk: Logic issue leading to universal cross site scripting attack (CVE-2021-1826) * webkitgtk: Use-after-free in ImageLoader dispatchPendingErrorEvent leading to information leak and possibly code execution (CVE-2021-21775) * webkitgtk: Use-after-free in WebCore::GraphicsContext leading to information leak and possibly code execution (CVE-2021-21779) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-30661) * webkitgtk: Integer overflow leading to arbitrary code execution (CVE-2021-30663) * webkitgtk: Memory corruption leading to arbitrary code execution (CVE-2021-30665) * webkitgtk: Buffer overflow leading to arbitrary code execution (CVE-2021-30666) * webkitgtk: Logic issue leading to leak of sensitive user information (CVE-2021-30682) * webkitgtk: Logic issue leading to universal cross site scripting attack (CVE-2021-30689) * webkitgtk: Logic issue allowing access to restricted ports on arbitrary servers (CVE-2021-30720) * webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30734) * webkitgtk: Cross-origin issue with iframe elements leading to universal cross site scripting attack (CVE-2021-30744) * webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30749) * webkitgtk: Type confusion leading to arbitrary code execution (CVE-2021-30758) * webkitgtk: Memory corruption leading to arbitrary code execution (CVE-2021-30761) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-30762) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-30795) * webkitgtk: Insufficient checks leading to arbitrary code execution (CVE-2021-30797) * webkitgtk: Memory corruptions leading to arbitrary code execution (CVE-2021-30799) * webkitgtk: limited sandbox escape via VFS syscalls (CVE-2021-42762) * webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2021-30846) * webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2021-30848) * webkitgtk: Multiple memory corruption issue leading to arbitrary code execution (CVE-2021-30849) * webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2021-30851) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-30809) * webkitgtk: Type confusion issue leading to arbitrary code execution (CVE-2021-30818) * webkitgtk: Logic issue leading to HSTS bypass (CVE-2021-30823) * webkitgtk: Out-of-bounds read leading to memory disclosure (CVE-2021-30836) * webkitgtk: CSS compositing issue leading to revealing of the browsing history (CVE-2021-30884) * webkitgtk: Logic issue leading to Content Security Policy bypass (CVE-2021-30887) * webkitgtk: Information leak via Content Security Policy reports (CVE-2021-30888) * webkitgtk: Buffer overflow leading to arbitrary code execution (CVE-2021-30889) * webkitgtk: Logic issue leading to universal cross-site scripting (CVE-2021-30890) * chromium-browser: Inappropriate implementation in Navigation (CVE-2022-0108) * webkitgtk: Cross-origin data exfiltration via resource timing API (CVE-2021-30897) * webkitgtk: Incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create (CVE-2021-45481) * webkitgtk: use-after-free in WebCore::ContainerNode::firstChild (CVE-2021-45482) * webkitgtk: use-after-free in WebCore::Frame::page (CVE-2021-45483) * webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2021-30934) * webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2021-30936) * webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2021-30951) * webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2021-30952) * webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2021-30953) * webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2021-30954) * webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2021-30984) * webkitgtk: A malicious website may exfiltrate data cross-origin (CVE-2022-22594) * webkitgtk: Processing a maliciously crafted mail message may lead to running arbitrary javascript (CVE-2022-22589) * webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2022-22590) * webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2022-22592) * webkitgtk: maliciously crafted web content may lead to arbitrary code execution due to use after free (CVE-2022-22620) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2022-22624) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2022-22628) * webkitgtk: Buffer overflow leading to arbitrary code execution (CVE-2022-22629) * webkitgtk: logic issue was addressed with improved state management (CVE-2022-22637) * webkitgtk: heap-buffer-overflow in WebCore::TextureMapperLayer::setContentsLayer (CVE-2022-30294) * webkitgtk: Heap buffer overflow in WebCore::TextureMapperLayer::setContentsLayer leading to arbitrary code execution (CVE-2022-30293) * webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2022-26700) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2022-26709) * webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2022-26716) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2022-26717) * webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2022-26719) * webkitgtk: Cookie management issue leading to sensitive user information disclosure (CVE-2022-22662) * webkitgtk: the video in a webRTC call may be interrupted if the audio capture gets interrupted (CVE-2022-22677) * webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2022-26710) * webkitgtk: processing maliciously crafted web content may lead to arbitrary code execution (CVE-2022-32893) * webkitgtk: buffer overflow issue was addressed with improved memory handling (CVE-2022-32886) * webkitgtk: out-of-bounds read was addressed with improved bounds checking (CVE-2022-32912) * webkitgtk: UI spoofing while Visiting a website that frames malicious content (CVE-2022-32891) * webkitgtk: out-of-bounds write issue was addressed with improved bounds checking (CVE-2022-32888) * webkitgtk: correctness issue in the JIT was addressed with improved checks (CVE-2022-32923) * webkitgtk: issue was addressed with improved UI handling (CVE-2022-42799) * webkitgtk: sensitive information disclosure issue (CVE-2022-42824) * webkitgtk: type confusion issue leading to arbitrary code execution (CVE-2022-42823) * webkitgtk: processing maliciously crafted web content may lead to an arbitrary code execution (CVE-2022-42856) * webkitgtk: memory disclosure issue was addressed with improved memory handling (CVE-2022-42852) * webkitgtk: memory corruption issue leading to arbitrary code execution (CVE-2022-42863) * webkitgtk: use-after-free issue leading to arbitrary code execution (CVE-2022-42867) * webkitgtk: memory corruption issue leading to arbitrary code execution (CVE-2022-46691) * webkitgtk: Same Origin Policy bypass issue (CVE-2022-46692) * webkitgtk: logic issue leading to user information disclosure (CVE-2022-46698) * webkitgtk: memory corruption issue leading to arbitrary code execution (CVE-2022-46699) * webkitgtk: memory corruption issue leading to arbitrary code execution (CVE-2022-46700) * webkitgtk: memory corruption issue leading to arbitrary code execution (CVE-2023-23518) * webkitgtk: use-after-free issue leading to arbitrary code execution (CVE-2022-42826) * webkitgtk: memory corruption issue leading to arbitrary code execution (CVE-2023-23517) * webkitgtk: processing maliciously crafted web content may be exploited for arbitrary code execution (CVE-2023-23529) * webkitgtk: heap-use-after-free in WebCore::RenderLayer::addChild() (CVE-2023-25358) * WebKitGTK: use-after-free leads to arbitrary code execution (CVE-2023-28205) * webkitgtk: an out-of-bounds read when processing malicious content (CVE-2023-28204) * webkitgtk: a use-after-free when processing maliciously crafted web content (CVE-2023-32373) * webkitgtk: improper bounds checking leading to arbitrary code execution (CVE-2022-48503) * webkitgtk: memory corruption issue leading to arbitrary code execution (CVE-2023-32435) * webkitgtk: type confusion issue leading to arbitrary code execution (CVE-2023-32439) * webkitgtk: arbitrary code execution (CVE-2023-37450) * webkitgtk: arbitrary code execution (CVE-2023-32393) * webkitgtk: disclose sensitive information (CVE-2023-38133) * webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-38592) * webkitgtk: arbitrary code execution (CVE-2023-38594) * webkitgtk: arbitrary code execution (CVE-2023-38595) * webkitgtk: track sensitive user information (CVE-2023-38599) * webkitgtk: arbitrary code execution (CVE-2023-38600) * webkitgtk: arbitrary code execution (CVE-2023-38611) * webkitgtk: bypass Same Origin Policy (CVE-2023-38572) * webkitgtk: arbitrary code execution (CVE-2023-38597) * webkitgtk: Memory corruption issue when processing web content (CVE-2022-32885) * webkitgtk: Same Origin Policy bypass via crafted web content (CVE-2023-27932) * webkitgtk: Website may be able to track sensitive user information (CVE-2023-27954) * webkitgtk: use after free vulnerability (CVE-2023-28198) * webkitgtk: content security policy blacklist failure (CVE-2023-32370) * webkitgtk: arbitrary javascript code execution (CVE-2023-40397) * webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2022-32792) * webkitgtk: malicious content may lead to UI spoofing (CVE-2022-32816) * webkitgtk: processing malicious web content may lead to arbitrary code execution (CVE-2023-41993) * webkitgtk: use-after-free in the MediaRecorder API of the WebKit GStreamer-based ports (CVE-2023-39928) * webkitgtk: processing web content may lead to arbitrary code execution (CVE-2023-35074) * webkitgtk: attacker with JavaScript execution may be able to execute arbitrary code (CVE-2023-40451) * webkitgtk: processing web content may lead to arbitrary code execution (CVE-2023-41074) * webkitgtk: Out-of-bounds read leads to sensitive data leak (CVE-2023-42916) * webkitgtk: Arbitrary Remote Code Execution (CVE-2023-42917) * webkitgtk: processing a malicious image may lead to a denial of service (CVE-2023-42883) * webkitgtk: processing malicious web content may lead to arbitrary code execution (CVE-2023-42890) * webkitgtk: type confusion may lead to arbitrary code execution (CVE-2024-23222) * webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2024-23213) * webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-40414) * webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-42833) * webkitgtk: Processing a file may lead to a denial of service or potentially disclose memory contents (CVE-2014-1745) * webkit: processing malicious web content may lead to denial-of-service (CVE-2024-23252) * webkit: malicious website may exfiltrate audio data cross-origin (CVE-2024-23254) * webkit: processing malicious web content prevents Content Security Policy from being enforced (CVE-2024-23263) * webkit: maliciously crafted webpage may be able to fingerprint the user (CVE-2024-23280) * webkit: processing maliciously crafted web content prevents Content Security Policy from being enforced (CVE-2024-23284) * webkitgtk: Visiting a website that frames malicious content may lead to UI spoofing. (CVE-2022-32919) * webkitgtk: A website may able to track visited websites in private browsing (CVE-2022-32933) * webkitgtk: Visiting a malicious website may lead to address bar spoofing (CVE-2022-46705) * webkitgtk: Visiting a malicious website may lead to address bar spoofing. (CVE-2022-46725) * webkitgtk: User password may be read aloud by a text-to-speech accessibility feature (CVE-2023-32359) * webkitgtk: Processing web content may lead to a denial of service (CVE-2023-41983) * webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-42852) * webkit: visiting a malicious website may lead to address bar spoofing (CVE-2023-42843) * webkit: heap use-after-free may lead to arbitrary code execution (CVE-2023-42950) * webkit: processing malicious web content may lead to a denial of service (CVE-2023-42956) * chromium-browser: Use after free in ANGLE (CVE-2024-4558) * webkit: pointer authentication bypass (CVE-2024-27834) * webkitgtk: webkit2gtk: Use after free may lead to Remote Code Execution (CVE-2024-40776) * webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-40789) * webkitgtk: webkit2gtk: Out-of-bounds read was addressed with improved bounds checking (CVE-2024-40780) * webkitgtk: webkit2gtk: Out-of-bounds read was addressed with improved bounds checking (CVE-2024-40779) * webkitgtk: webkit2gtk: Use-after-free was addressed with improved memory management (CVE-2024-40782) * webkitgtk: Visiting a malicious website may lead to address bar spoofing (CVE-2024-40866) * webkitgtk: A malicious website may cause unexpected cross-origin behavior (CVE-2024-23271) * webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2024-27808) * webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2024-27820) * webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2024-27833) * webkitgtk: A maliciously crafted webpage may be able to fingerprint the user (CVE-2024-27838) * webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2024-27851) * webkitgtk: A malicious website may exfiltrate data cross-origin (CVE-2024-44187) * webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-44185) * webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-44244) * webkitgtk: webkit2gtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2024-44296) * webkitgtk: data isolation bypass vulnerability (CVE-2024-44309) * webkitgtk: javascriptcore: processing maliciously crafted web content may lead to arbitrary code execution (CVE-2024-44308) * WebKitGTK: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-54479) * webkit: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-54502) * webkit: Processing maliciously crafted web content may lead to memory corruption (CVE-2024-54505) * webkit: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-54508) * webkit: Processing maliciously crafted web content may lead to memory corruption (CVE-2024-54534) * webkitgtk: Processing a file may lead to unexpected app termination or arbitrary code execution (CVE-2024-27856) * webkitgtk: Processing maliciously crafted web content may lead to memory corruption (CVE-2024-54543) * webkitgtk: A maliciously crafted webpage may be able to fingerprint the user (CVE-2025-24143) * webkitgtk: Copying a URL from Web Inspector may lead to command injection (CVE-2025-24150) * webkitgtk: Processing web content may lead to a denial-of-service (CVE-2025-24158) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-24162) * webkitgtk: Processing web content may lead to a denial-of-service (CVE-2024-54658) * webkitgtk: out-of-bounds write vulnerability (CVE-2025-24201) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-44192) * webkitgtk: A malicious website may exfiltrate data cross-origin (CVE-2024-54467) * webkitgtk: Processing web content may lead to a denial-of-service (CVE-2024-54551) * webkitgtk: Loading a malicious iframe may lead to a cross-site scripting attack (CVE-2025-24208) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-24209) * webkitgtk: A type confusion issue could lead to memory corruption (CVE-2025-24213) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-24216) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-24264) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-30427) * webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-42875) * webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-42970) * webkitgtk: Processing maliciously crafted web content may lead to memory corruption (CVE-2025-24223) * webkitgtk: Processing maliciously crafted web content may lead to memory corruption (CVE-2025-31204) * webkitgtk: A malicious website may exfiltrate data cross-origin (CVE-2025-31205) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-31206) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-31215) * webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-31257) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

---

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.