Security update for webkit2gtk3

Announcement ID:	SUSE-SU-2025:02973-1
Release Date:	2025-08-25T08:49:20Z
Rating:	important
References:	bsc#1239547 bsc#1239863 bsc#1239864 bsc#1247562 bsc#1247563 bsc#1247564 bsc#1247565 bsc#1247595 bsc#1247596 bsc#1247597 bsc#1247598 bsc#1247599 bsc#1247600 bsc#1247742
Cross-References:	CVE-2024-44192 CVE-2024-54467 CVE-2025-24189 CVE-2025-24201 CVE-2025-31273 CVE-2025-31278 CVE-2025-43211 CVE-2025-43212 CVE-2025-43216 CVE-2025-43227 CVE-2025-43228 CVE-2025-43240 CVE-2025-43265 CVE-2025-6558
CVSS scores:	CVE-2024-44192 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2024-44192 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2024-44192 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2024-44192 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2024-54467 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2024-54467 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2024-54467 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2024-54467 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2025-24189 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-24189 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-24189 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-24201 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2025-24201 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2025-24201 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-31273 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-31273 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-31273 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-31278 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-31278 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-31278 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-43211 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-43211 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-43211 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-43212 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-43212 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-43216 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-43216 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2025-43227 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-43227 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-43228 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2025-43228 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2025-43240 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-43240 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-43265 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2025-43265 ( NVD ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2025-6558 ( SUSE ): 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVE-2025-6558 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server 12 SP5 LTSS SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves 14 vulnerabilities can now be installed.

Description:

This update for webkit2gtk3 fixes the following issues:

• Update to version 2.48.5:
• CVE-2025-31273: Fixed processing maliciously crafted web content leading to memory corruption (bsc#1247564)
• CVE-2025-43265: Fixed processing maliciously crafted web content disclosing internal states of the app (bsc#1247600)
• CVE-2025-43216: Fixed processing maliciously crafted web content leading to an unexpected Safari crash (bsc#1247596)
• CVE-2025-31278: Fixed processing maliciously crafted web content leading to memory corruption (bsc#1247563)
• CVE-2025-6558: Fixed processing maliciously crafted web content leading to an unexpected Safari crash. (bsc#1247742)
• CVE-2025-43227: Fixed Processing maliciously crafted web content disclosing sensitive user information (bsc#1247597)
• CVE-2025-43240: Fixed download’s origin incorrectly associated (bsc#1247599)
• CVE-2025-43228: Fixed visiting a malicious website leading to address bar spoofing (bsc#1247598)
• CVE-2025-43212: Fixed processing maliciously crafted web content leading to an unexpected Safari crash (bsc#1247595)
• CVE-2025-43211: Fixed processing web content leading to a denial-of-service (bsc#1247562)
• Fix several crashes.
• Changes in version 2.48.4:
• Improve emoji font selection with USE_SKIA=ON.
• Improve playback of multimedia streams from blob URLs.
• Fix the build with USE_SKIA_OPENTYPE_SVG=ON and USE_SYSPROF_CAPTURE=ON.
• Fix the build on LoongArch with USE_SKIA=ON.
• Fix crash when using a WebKitWebView widget in an offscreen window.
• Fix several crashes and rendering issues.
• Changes in version 2.48.3:
• Fix a crash introduced by the new threaded rendering implementation using Skia API.
• Improve rendering performance by recording layers once and replaying every dirty region in different worker threads.
• Fix a crash when setting WEBKIT_SKIA_GPU_PAINTING_THREADS=0.

• Fix a reference cycle in webkitmediastreamsrc preventing its disposal.

• CVE-2024-44192:Fixed processing maliciously crafted web content leading to an unexpected process crash (bsc#1239863)

• CVE-2024-54467: Fixed data cross-origin exfiltration due to a cookie management issue (bsc#1239864)
• CVE-2025-24201: Fixed out-of-bounds write vulnerability (bsc#1239547)
• CVE-2025-24189: Fixed processing maliciously crafted web content leading to memory corruption (bsc#1247565)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 SP5 LTSS
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-2973=1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2973=1

Package List:

• SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le s390x x86_64)
  • typelib-1_0-WebKit2WebExtension-4_0-2.48.5-4.41.1
  • libwebkit2gtk-4_0-37-debuginfo-2.48.5-4.41.1
  • webkit2gtk3-devel-2.48.5-4.41.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.48.5-4.41.1
  • webkit2gtk3-debugsource-2.48.5-4.41.1
  • typelib-1_0-WebKit2-4_0-2.48.5-4.41.1
  • libwebkit2gtk-4_0-37-2.48.5-4.41.1
  • libjavascriptcoregtk-4_0-18-2.48.5-4.41.1
  • typelib-1_0-JavaScriptCore-4_0-2.48.5-4.41.1
  • webkit2gtk-4_0-injected-bundles-2.48.5-4.41.1
• SUSE Linux Enterprise Server 12 SP5 LTSS (noarch)
  • libwebkit2gtk3-lang-2.48.5-4.41.1
• SUSE Linux Enterprise Server 12 SP5 LTSS (ppc64le s390x x86_64)
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.48.5-4.41.1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
  • typelib-1_0-WebKit2WebExtension-4_0-2.48.5-4.41.1
  • libwebkit2gtk-4_0-37-debuginfo-2.48.5-4.41.1
  • webkit2gtk3-devel-2.48.5-4.41.1
  • webkit2gtk-4_0-injected-bundles-debuginfo-2.48.5-4.41.1
  • libjavascriptcoregtk-4_0-18-debuginfo-2.48.5-4.41.1
  • webkit2gtk3-debugsource-2.48.5-4.41.1
  • typelib-1_0-WebKit2-4_0-2.48.5-4.41.1
  • libwebkit2gtk-4_0-37-2.48.5-4.41.1
  • libjavascriptcoregtk-4_0-18-2.48.5-4.41.1
  • typelib-1_0-JavaScriptCore-4_0-2.48.5-4.41.1
  • webkit2gtk-4_0-injected-bundles-2.48.5-4.41.1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch)
  • libwebkit2gtk3-lang-2.48.5-4.41.1

References:

• https://www.suse.com/security/cve/CVE-2024-44192.html
• https://www.suse.com/security/cve/CVE-2024-54467.html
• https://www.suse.com/security/cve/CVE-2025-24189.html
• https://www.suse.com/security/cve/CVE-2025-24201.html
• https://www.suse.com/security/cve/CVE-2025-31273.html
• https://www.suse.com/security/cve/CVE-2025-31278.html
• https://www.suse.com/security/cve/CVE-2025-43211.html
• https://www.suse.com/security/cve/CVE-2025-43212.html
• https://www.suse.com/security/cve/CVE-2025-43216.html
• https://www.suse.com/security/cve/CVE-2025-43227.html
• https://www.suse.com/security/cve/CVE-2025-43228.html
• https://www.suse.com/security/cve/CVE-2025-43240.html
• https://www.suse.com/security/cve/CVE-2025-43265.html
• https://www.suse.com/security/cve/CVE-2025-6558.html
• https://bugzilla.suse.com/show_bug.cgi?id=1239547
• https://bugzilla.suse.com/show_bug.cgi?id=1239863
• https://bugzilla.suse.com/show_bug.cgi?id=1239864
• https://bugzilla.suse.com/show_bug.cgi?id=1247562
• https://bugzilla.suse.com/show_bug.cgi?id=1247563
• https://bugzilla.suse.com/show_bug.cgi?id=1247564
• https://bugzilla.suse.com/show_bug.cgi?id=1247565
• https://bugzilla.suse.com/show_bug.cgi?id=1247595
• https://bugzilla.suse.com/show_bug.cgi?id=1247596
• https://bugzilla.suse.com/show_bug.cgi?id=1247597
• https://bugzilla.suse.com/show_bug.cgi?id=1247598
• https://bugzilla.suse.com/show_bug.cgi?id=1247599
• https://bugzilla.suse.com/show_bug.cgi?id=1247600
• https://bugzilla.suse.com/show_bug.cgi?id=1247742