Security update for webkit2gtk3

Announcement ID:	SUSE-SU-2025:02766-1
Release Date:	2025-08-12T13:00:43Z
Rating:	important
References:	bsc#1247562 bsc#1247563 bsc#1247564 bsc#1247595 bsc#1247596 bsc#1247597 bsc#1247598 bsc#1247599 bsc#1247600 bsc#1247742
Cross-References:	CVE-2024-44192 CVE-2024-54467 CVE-2025-24189 CVE-2025-24201 CVE-2025-31273 CVE-2025-31278 CVE-2025-43211 CVE-2025-43212 CVE-2025-43216 CVE-2025-43227 CVE-2025-43228 CVE-2025-43240 CVE-2025-43265 CVE-2025-6558
CVSS scores:	CVE-2024-44192 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2024-44192 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2024-44192 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2024-44192 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2024-54467 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2024-54467 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2024-54467 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2024-54467 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2025-24189 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-24189 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-24189 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-24201 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2025-24201 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2025-24201 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-31273 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-31273 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-31273 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-31278 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-31278 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-31278 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-43211 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-43211 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-43211 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-43212 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-43212 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-43216 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-43216 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-43227 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-43227 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-43228 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2025-43228 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2025-43240 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-43240 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-43265 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2025-43265 ( NVD ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2025-6558 ( SUSE ): 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVE-2025-6558 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP3

An update that solves 14 vulnerabilities can now be installed.

Description:

This update for webkit2gtk3 fixes the following issues:

Updated to version 2.48.5:
- CVE-2025-31273: Fixed a vulnerability where processing maliciously crafted web content could lead to memory corruption. (bsc#1247564)
- CVE-2025-31278: Fixed a vulnerability where processing maliciously crafted web content may lead to memory corruption. (bsc#1247563)
- CVE-2025-43211: Fixed a vulnerability where processing web content may lead to a denial-of-service. (bsc#1247562)
- CVE-2025-43212: Fixed a vulnerability where processing maliciously crafted web content may lead to an unexpected Safari crash. (bsc#1247595)
- CVE-2025-43216: Fixed a vulnerability where processing maliciously crafted web content may lead to an unexpected Safari crash. (bsc#1247596)
- CVE-2025-43227: Fixed a vulnerability where processing maliciously crafted web content may disclose sensitive user information. (bsc#1247597)
- CVE-2025-43228: Fixed a vulnerability where visiting a malicious website may lead to address bar spoofing. (bsc#1247598)
- CVE-2025-43240: Fixed a vulnerability where a download's origin may be incorrectly associated. (bsc#1247599)
- CVE-2025-43265: Fixed a vulnerability where processing maliciously crafted web content may disclose internal states of the app. (bsc#1247600)
- CVE-2025-6558: Fixed a vulnerability where processing maliciously crafted web content may lead to an unexpected Safari crash. (bsc#1247742)

Other fixes: - Improve emoji font selection with USE_SKIA=ON. - Improve playback of multimedia streams from blob URLs. - Fix the build with USE_SKIA_OPENTYPE_SVG=ON and USE_SYSPROF_CAPTURE=ON. - Fix crash when using a WebKitWebView widget in an offscreen window. - Fix several crashes and rendering issues. - Fix a crash introduced by the new threaded rendering implementation using Skia API. - Improve rendering performance by recording layers once and replaying every dirty region in different worker threads. - Fix a crash when setting WEBKIT_SKIA_GPU_PAINTING_THREADS=0. - Fix a reference cycle in webkitmediastreamsrc preventing its disposal. - Increase mem_per_process again to avoid running out of memory.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-2766=1
• SUSE Linux Enterprise Server 15 SP3 LTSS
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-2766=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2025-2766=1
• SUSE Enterprise Storage 7.1
  zypper in -t patch SUSE-Storage-7.1-2025-2766=1

Package List:

• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64)
  • libwebkit2gtk-4_0-37-2.48.5-150200.150.1
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.48.5-150200.150.1
  • webkit2gtk3-debugsource-2.48.5-150200.150.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.48.5-150200.150.1
  • typelib-1_0-JavaScriptCore-4_0-2.48.5-150200.150.1
  • libwebkit2gtk-4_0-37-debuginfo-2.48.5-150200.150.1
  • typelib-1_0-WebKit2WebExtension-4_0-2.48.5-150200.150.1
  • webkit2gtk3-devel-2.48.5-150200.150.1
  • typelib-1_0-WebKit2-4_0-2.48.5-150200.150.1
  • webkit2gtk-4_0-injected-bundles-2.48.5-150200.150.1
  • libjavascriptcoregtk-4_0-18-2.48.5-150200.150.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
  • libwebkit2gtk3-lang-2.48.5-150200.150.1
• SUSE Linux Enterprise Server 15 SP3 LTSS (aarch64 ppc64le s390x x86_64)
  • libwebkit2gtk-4_0-37-2.48.5-150200.150.1
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.48.5-150200.150.1
  • webkit2gtk3-debugsource-2.48.5-150200.150.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.48.5-150200.150.1
  • typelib-1_0-JavaScriptCore-4_0-2.48.5-150200.150.1
  • libwebkit2gtk-4_0-37-debuginfo-2.48.5-150200.150.1
  • typelib-1_0-WebKit2WebExtension-4_0-2.48.5-150200.150.1
  • webkit2gtk3-devel-2.48.5-150200.150.1
  • typelib-1_0-WebKit2-4_0-2.48.5-150200.150.1
  • webkit2gtk-4_0-injected-bundles-2.48.5-150200.150.1
  • libjavascriptcoregtk-4_0-18-2.48.5-150200.150.1
• SUSE Linux Enterprise Server 15 SP3 LTSS (noarch)
  • libwebkit2gtk3-lang-2.48.5-150200.150.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
  • libwebkit2gtk-4_0-37-2.48.5-150200.150.1
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.48.5-150200.150.1
  • webkit2gtk3-debugsource-2.48.5-150200.150.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.48.5-150200.150.1
  • libwebkit2gtk-4_0-37-debuginfo-2.48.5-150200.150.1
  • typelib-1_0-JavaScriptCore-4_0-2.48.5-150200.150.1
  • typelib-1_0-WebKit2WebExtension-4_0-2.48.5-150200.150.1
  • webkit2gtk3-devel-2.48.5-150200.150.1
  • typelib-1_0-WebKit2-4_0-2.48.5-150200.150.1
  • webkit2gtk-4_0-injected-bundles-2.48.5-150200.150.1
  • libjavascriptcoregtk-4_0-18-2.48.5-150200.150.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
  • libwebkit2gtk3-lang-2.48.5-150200.150.1
• SUSE Enterprise Storage 7.1 (aarch64 x86_64)
  • libwebkit2gtk-4_0-37-2.48.5-150200.150.1
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.48.5-150200.150.1
  • webkit2gtk3-debugsource-2.48.5-150200.150.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.48.5-150200.150.1
  • typelib-1_0-JavaScriptCore-4_0-2.48.5-150200.150.1
  • libwebkit2gtk-4_0-37-debuginfo-2.48.5-150200.150.1
  • typelib-1_0-WebKit2WebExtension-4_0-2.48.5-150200.150.1
  • webkit2gtk3-devel-2.48.5-150200.150.1
  • typelib-1_0-WebKit2-4_0-2.48.5-150200.150.1
  • webkit2gtk-4_0-injected-bundles-2.48.5-150200.150.1
  • libjavascriptcoregtk-4_0-18-2.48.5-150200.150.1
• SUSE Enterprise Storage 7.1 (noarch)
  • libwebkit2gtk3-lang-2.48.5-150200.150.1

References:

• https://www.suse.com/security/cve/CVE-2024-44192.html
• https://www.suse.com/security/cve/CVE-2024-54467.html
• https://www.suse.com/security/cve/CVE-2025-24189.html
• https://www.suse.com/security/cve/CVE-2025-24201.html
• https://www.suse.com/security/cve/CVE-2025-31273.html
• https://www.suse.com/security/cve/CVE-2025-31278.html
• https://www.suse.com/security/cve/CVE-2025-43211.html
• https://www.suse.com/security/cve/CVE-2025-43212.html
• https://www.suse.com/security/cve/CVE-2025-43216.html
• https://www.suse.com/security/cve/CVE-2025-43227.html
• https://www.suse.com/security/cve/CVE-2025-43228.html
• https://www.suse.com/security/cve/CVE-2025-43240.html
• https://www.suse.com/security/cve/CVE-2025-43265.html
• https://www.suse.com/security/cve/CVE-2025-6558.html
• https://bugzilla.suse.com/show_bug.cgi?id=1247562
• https://bugzilla.suse.com/show_bug.cgi?id=1247563
• https://bugzilla.suse.com/show_bug.cgi?id=1247564
• https://bugzilla.suse.com/show_bug.cgi?id=1247595
• https://bugzilla.suse.com/show_bug.cgi?id=1247596
• https://bugzilla.suse.com/show_bug.cgi?id=1247597
• https://bugzilla.suse.com/show_bug.cgi?id=1247598
• https://bugzilla.suse.com/show_bug.cgi?id=1247599
• https://bugzilla.suse.com/show_bug.cgi?id=1247600
• https://bugzilla.suse.com/show_bug.cgi?id=1247742