oss-sec mailing list archives
WebKitGTK and WPE WebKit Security Advisory WSA-2026-0002
From: Adrian Perez de Castro <aperez () igalia com>
Date: Sat, 28 Mar 2026 00:41:08 +0200
------------------------------------------------------------------------ WebKitGTK and WPE WebKit Security Advisory WSA-2026-0002 ------------------------------------------------------------------------ Date reported : March 28, 2026 Advisory ID : WSA-2026-0002 WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2026-0002.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2026-0002.html CVE identifiers : CVE-2026-20643, CVE-2026-20664, CVE-2026-20665, CVE-2026-20691, CVE-2026-28857, CVE-2026-28859, CVE-2026-28861, CVE-2026-28871. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2026-20643 Versions affected: WebKitGTK and WPE WebKit before 2.52.1. Credit to Thomas Espach. Impact: Processing maliciously crafted web content may bypass Same Origin Policy. Description: A cross-origin issue in the Navigation API was addressed with improved input validation. WebKit Bugzilla: 306050 CVE-2026-20664 Versions affected: WebKitGTK and WPE WebKit before 2.52.1. Credit to Daniel Rhea, Söhnke Benedikt Fischedick (Tripton), Emrovsky & Switch, Yevhen Pervushyn. Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 306136 CVE-2026-20665 Versions affected: WebKitGTK and WPE WebKit before 2.52.1. Credit to webb. Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Description: This issue was addressed through improved state management. WebKit Bugzilla: 304951 CVE-2026-20691 Versions affected: WebKitGTK and WPE WebKit before 2.52.1. Credit to Gongyu Ma (@Mezone0). Impact: A maliciously crafted webpage may be able to fingerprint the user. Description: An authorization issue was addressed with improved state management. WebKit Bugzilla: 306827 CVE-2026-28857 Versions affected: WebKitGTK and WPE WebKit before 2.52.1. Credit to Narcis Oliveras Fontàs, Söhnke Benedikt Fischedick (Tripton), Daniel Rhea, Nathaniel Oh (@calysteon). Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 307723 CVE-2026-28859 Versions affected: WebKitGTK and WPE WebKit before 2.52.1. Credit to greenbynox, Arni Hardarson. Impact: A malicious website may be able to process restricted web content outside the sandbox. Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 308248 CVE-2026-28861 Versions affected: WebKitGTK and WPE WebKit before 2.52.1. Credit to Hongze Wu and Shuaike Dong from Ant Group Infrastructure Security Team. Impact: A malicious website may be able to access script message handlers intended for other origins. Description: A logic issue was addressed with improved state management. WebKit Bugzilla: 307014 CVE-2026-28871 Versions affected: WebKitGTK and WPE WebKit before 2.52.1. Credit to @hamayanhamayan. Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack. Description: A logic issue was addressed with improved checks. WebKit Bugzilla: 305859 We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases. Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security. The WebKitGTK and WPE WebKit team,
Attachment:
signature.asc
Description:
Current thread:
- WebKitGTK and WPE WebKit Security Advisory WSA-2026-0002 Adrian Perez de Castro (Mar 27)