Security update for webkit2gtk3

Announcement ID:	SUSE-SU-2026:1648-1
Release Date:	2026-04-28T18:07:02Z
Rating:	moderate
References:	bsc#1261172 bsc#1261173 bsc#1261174 bsc#1261175 bsc#1261176 bsc#1261177 bsc#1261178 bsc#1261179
Cross-References:	CVE-2026-20643 CVE-2026-20664 CVE-2026-20665 CVE-2026-20691 CVE-2026-28857 CVE-2026-28859 CVE-2026-28861 CVE-2026-28871
CVSS scores:	CVE-2026-20643 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2026-20643 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2026-20664 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-20664 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2026-20665 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L CVE-2026-20665 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2026-20691 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2026-20691 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2026-28857 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-28857 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2026-28859 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2026-28859 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2026-28861 ( SUSE ): 4.7 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N CVE-2026-28861 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2026-28871 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2026-28871 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Affected Products:	SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves eight vulnerabilities can now be installed.

Description:

This update for webkit2gtk3 fixes the following issues:

Update to version 2.52.1.

Security issues fixed:

• CVE-2026-20643: processing maliciously crafted web content may bypass Same Origin Policy (bsc#1261172).
• CVE-2026-20664: processing maliciously crafted web content may lead to an unexpected process crash (bsc#1261173).
• CVE-2026-20665: processing maliciously crafted web content may prevent Content Security Policy from being enforced (bsc#1261174).
• CVE-2026-20691: a maliciously crafted webpage may be able to fingerprint the user (bsc#1261175).
• CVE-2026-28857: processing maliciously crafted web content may lead to an unexpected process crash (bsc#1261176).
• CVE-2026-28859: a malicious website may be able to process restricted web content outside the sandbox (bsc#1261177).
• CVE-2026-28861: a malicious website may be able to access script message handlers intended for other origins (bsc#1261178).
• CVE-2026-28871: visiting a maliciously crafted website may lead to a cross-site scripting attack (bsc#1261179).

Other updates and bugfixes:

• Reduce the amount of useless MPRIS notifications produced by MediaSession when the information about media being played is incomplete.
• Support turning off USE_GSTREAMER to configure the build with all multimedia features disabled.
• Add Sysprof marks for mouse events.
• Fix MediaSession icon for iheart.com not being displayed.
• Fix the build with USE_GSTREAMER_GL disabled.
• Fix the build with librice version 0.3.0 or newer.
• Fix several crashes and rendering issues.
• Translation updates: Georgian.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-1648=1

Package List:

• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
  • libjavascriptcoregtk-4_0-18-2.52.1-4.57.1
  • webkit2gtk3-debugsource-2.52.1-4.57.1
  • typelib-1_0-WebKit2-4_0-2.52.1-4.57.1
  • typelib-1_0-JavaScriptCore-4_0-2.52.1-4.57.1
  • webkit2gtk3-devel-2.52.1-4.57.1
  • typelib-1_0-WebKit2WebExtension-4_0-2.52.1-4.57.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.52.1-4.57.1
  • libwebkit2gtk-4_0-37-2.52.1-4.57.1
  • webkit2gtk-4_0-injected-bundles-2.52.1-4.57.1
  • libwebkit2gtk-4_0-37-debuginfo-2.52.1-4.57.1
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.52.1-4.57.1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch)
  • libwebkit2gtk3-lang-2.52.1-4.57.1

References:

• https://www.suse.com/security/cve/CVE-2026-20643.html
• https://www.suse.com/security/cve/CVE-2026-20664.html
• https://www.suse.com/security/cve/CVE-2026-20665.html
• https://www.suse.com/security/cve/CVE-2026-20691.html
• https://www.suse.com/security/cve/CVE-2026-28857.html
• https://www.suse.com/security/cve/CVE-2026-28859.html
• https://www.suse.com/security/cve/CVE-2026-28861.html
• https://www.suse.com/security/cve/CVE-2026-28871.html
• https://bugzilla.suse.com/show_bug.cgi?id=1261172
• https://bugzilla.suse.com/show_bug.cgi?id=1261173
• https://bugzilla.suse.com/show_bug.cgi?id=1261174
• https://bugzilla.suse.com/show_bug.cgi?id=1261175
• https://bugzilla.suse.com/show_bug.cgi?id=1261176
• https://bugzilla.suse.com/show_bug.cgi?id=1261177
• https://bugzilla.suse.com/show_bug.cgi?id=1261178
• https://bugzilla.suse.com/show_bug.cgi?id=1261179