Security update for webkit2gtk3

Announcement ID:	SUSE-SU-2025:4423-1
Release Date:	2025-12-17T11:01:44Z
Rating:	important
References:	bsc#1254164 bsc#1254165 bsc#1254166 bsc#1254167 bsc#1254168 bsc#1254169 bsc#1254170 bsc#1254171 bsc#1254172 bsc#1254174 bsc#1254175 bsc#1254176 bsc#1254177 bsc#1254179 bsc#1254208 bsc#1254473 bsc#1254498 bsc#1254509
Cross-References:	CVE-2023-43000 CVE-2025-13502 CVE-2025-13947 CVE-2025-43392 CVE-2025-43419 CVE-2025-43421 CVE-2025-43425 CVE-2025-43427 CVE-2025-43429 CVE-2025-43430 CVE-2025-43431 CVE-2025-43432 CVE-2025-43434 CVE-2025-43440 CVE-2025-43443 CVE-2025-43458 CVE-2025-43480 CVE-2025-66287
CVSS scores:	CVE-2023-43000 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2023-43000 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2023-43000 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-13502 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-13502 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-13502 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-13947 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2025-13947 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2025-43392 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2025-43392 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2025-43392 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2025-43419 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-43419 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-43419 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-43421 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-43421 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-43421 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-43425 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-43425 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-43425 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-43427 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-43427 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-43427 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-43429 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-43429 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-43429 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-43430 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-43430 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-43430 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-43431 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L CVE-2025-43431 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-43432 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-43432 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-43432 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-43434 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-43434 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-43434 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-43440 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-43440 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-43440 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-43443 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-43443 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-43443 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-43458 ( SUSE ): 2.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-43458 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-43458 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-43480 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2025-43480 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2025-43480 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-66287 ( SUSE ): 7.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-66287 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-66287 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server 12 SP5 LTSS SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves 18 vulnerabilities can now be installed.

Description:

This update for webkit2gtk3 fixes the following issues:

Update to version 2.50.3.

Security issues fixed:

• CVE-2025-13502: processing of maliciously crafted payloads by the GLib remote inspector server may lead to a UIProcess crash due to an out-of-bounds read and an integer underflow (bsc#1254208).
• CVE-2025-13947: use of the file drag-and-drop mechanism may lead to remote information disclosure due to a lack of verification of the origins of drag operations (bsc#1254473).
• CVE-2025-43392: websites may exfiltrate image data cross-origin due to issues with cache handling (bsc#1254165).
• CVE-2025-43421: processing maliciously crafted web content may lead to an unexpected process crash due to enabled array allocation sinking (bsc#1254167).
• CVE-2025-43425: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1254168).
• CVE-2025-43427: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254169).
• CVE-2025-43429: processing maliciously crafted web content may lead to an unexpected process crash due to a buffer overflow issue (bsc#1254174).
• CVE-2025-43430: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254172).
• CVE-2025-43431: processing maliciously crafted web content may lead to memory corruption due to improper memory handling (bsc#1254170).
• CVE-2025-43432: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1254171).
• CVE-2025-43434: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1254179).
• CVE-2025-43440: processing maliciously crafted web content may lead to an unexpected process crash due to missing checks (bsc#1254177).
• CVE-2025-43443: processing maliciously crafted web content may lead to an unexpected process crash due to missing checks (bsc#1254176).
• CVE-2025-43458: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254498).
• CVE-2025-66287: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1254509).

Other issues fixed and changes:

• Version 2.50.3:
• Fix seeking and looping of media elements that set the "loop" property.

• Fix several crashes and rendering issues.

• Version 2.50.2:

• Prevent unsafe URI schemes from participating in media playback.
• Make jsc_value_array_buffer_get_data() function introspectable.
• Fix logging in to Google accounts that have a WebAuthn second factor configured.
• Fix loading webkit://gpu when there are no threads configured for GPU rendering.
• Fix rendering gradiants that use the CSS hue interpolation method.
• Fix pasting image data from the clipboard.
• Fix font-family selection when the font name contains spaces.
• Fix the build with standard C libraries that lack execinfo.h, like Musl or uClibc.
• Fix capturing canvas snapshots in the Web Inspector.
• Fix several crashes and rendering issues.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 SP5 LTSS
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-4423=1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-4423=1

Package List:

• SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le s390x x86_64)
  • typelib-1_0-WebKit2WebExtension-4_0-2.50.3-4.47.1
  • libwebkit2gtk-4_0-37-debuginfo-2.50.3-4.47.1
  • webkit2gtk3-devel-2.50.3-4.47.1
  • libjavascriptcoregtk-4_0-18-2.50.3-4.47.1
  • libwebkit2gtk-4_0-37-2.50.3-4.47.1
  • webkit2gtk-4_0-injected-bundles-2.50.3-4.47.1
  • webkit2gtk3-debugsource-2.50.3-4.47.1
  • typelib-1_0-JavaScriptCore-4_0-2.50.3-4.47.1
  • typelib-1_0-WebKit2-4_0-2.50.3-4.47.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.50.3-4.47.1
• SUSE Linux Enterprise Server 12 SP5 LTSS (noarch)
  • libwebkit2gtk3-lang-2.50.3-4.47.1
• SUSE Linux Enterprise Server 12 SP5 LTSS (ppc64le s390x x86_64)
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.50.3-4.47.1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
  • typelib-1_0-WebKit2WebExtension-4_0-2.50.3-4.47.1
  • libwebkit2gtk-4_0-37-debuginfo-2.50.3-4.47.1
  • webkit2gtk3-devel-2.50.3-4.47.1
  • libjavascriptcoregtk-4_0-18-2.50.3-4.47.1
  • libwebkit2gtk-4_0-37-2.50.3-4.47.1
  • webkit2gtk-4_0-injected-bundles-2.50.3-4.47.1
  • webkit2gtk3-debugsource-2.50.3-4.47.1
  • typelib-1_0-JavaScriptCore-4_0-2.50.3-4.47.1
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.50.3-4.47.1
  • typelib-1_0-WebKit2-4_0-2.50.3-4.47.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.50.3-4.47.1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch)
  • libwebkit2gtk3-lang-2.50.3-4.47.1

References:

• https://www.suse.com/security/cve/CVE-2023-43000.html
• https://www.suse.com/security/cve/CVE-2025-13502.html
• https://www.suse.com/security/cve/CVE-2025-13947.html
• https://www.suse.com/security/cve/CVE-2025-43392.html
• https://www.suse.com/security/cve/CVE-2025-43419.html
• https://www.suse.com/security/cve/CVE-2025-43421.html
• https://www.suse.com/security/cve/CVE-2025-43425.html
• https://www.suse.com/security/cve/CVE-2025-43427.html
• https://www.suse.com/security/cve/CVE-2025-43429.html
• https://www.suse.com/security/cve/CVE-2025-43430.html
• https://www.suse.com/security/cve/CVE-2025-43431.html
• https://www.suse.com/security/cve/CVE-2025-43432.html
• https://www.suse.com/security/cve/CVE-2025-43434.html
• https://www.suse.com/security/cve/CVE-2025-43440.html
• https://www.suse.com/security/cve/CVE-2025-43443.html
• https://www.suse.com/security/cve/CVE-2025-43458.html
• https://www.suse.com/security/cve/CVE-2025-43480.html
• https://www.suse.com/security/cve/CVE-2025-66287.html
• https://bugzilla.suse.com/show_bug.cgi?id=1254164
• https://bugzilla.suse.com/show_bug.cgi?id=1254165
• https://bugzilla.suse.com/show_bug.cgi?id=1254166
• https://bugzilla.suse.com/show_bug.cgi?id=1254167
• https://bugzilla.suse.com/show_bug.cgi?id=1254168
• https://bugzilla.suse.com/show_bug.cgi?id=1254169
• https://bugzilla.suse.com/show_bug.cgi?id=1254170
• https://bugzilla.suse.com/show_bug.cgi?id=1254171
• https://bugzilla.suse.com/show_bug.cgi?id=1254172
• https://bugzilla.suse.com/show_bug.cgi?id=1254174
• https://bugzilla.suse.com/show_bug.cgi?id=1254175
• https://bugzilla.suse.com/show_bug.cgi?id=1254176
• https://bugzilla.suse.com/show_bug.cgi?id=1254177
• https://bugzilla.suse.com/show_bug.cgi?id=1254179
• https://bugzilla.suse.com/show_bug.cgi?id=1254208
• https://bugzilla.suse.com/show_bug.cgi?id=1254473
• https://bugzilla.suse.com/show_bug.cgi?id=1254498
• https://bugzilla.suse.com/show_bug.cgi?id=1254509