CVE-2026-20635

high

Published 2026-05-19 · Modified 2026-04-24

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.0

Description

Important: webkit2gtk3 security update

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash Red Hat statement To exploit this issue, an attacker needs to trick a user into processing or loading malicious web content. Due to this reason, this flaw has been rated with an important severity. Additionally, this issue can cause an unexpected process crash but the possibility of remote…

Description

webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash

Red Hat statement

To exploit this issue, an attacker needs to trick a user into processing or loading malicious web content. Due to this reason, this flaw has been rated with an important severity. Additionally, this issue can cause an unexpected process crash but the possibility of remote code execution is not discarded.

CVSS v3: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 8	`webkit2gtk3-0:2.52.3-1.el8_10`	RHSA-2026:10702	2026-04-27T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	`webkit2gtk3-0:2.52.3-1.el8_4`	RHSA-2026:16056	2026-05-11T00:00:00Z
Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On	`webkit2gtk3-0:2.52.3-1.el8_4`	RHSA-2026:16056	2026-05-11T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support	`webkit2gtk3-0:2.52.3-1.el8_6`	RHSA-2026:13845	2026-05-05T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service	`webkit2gtk3-0:2.52.3-1.el8_6`	RHSA-2026:13845	2026-05-05T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions	`webkit2gtk3-0:2.52.3-1.el8_6`	RHSA-2026:13845	2026-05-05T00:00:00Z
Red Hat Enterprise Linux 8.8 Telecommunications Update Service	`webkit2gtk3-0:2.52.3-1.el8_8`	RHSA-2026:11814	2026-04-29T00:00:00Z
Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions	`webkit2gtk3-0:2.52.3-1.el8_8`	RHSA-2026:11814	2026-04-29T00:00:00Z
Red Hat Enterprise Linux 9	`webkit2gtk3-0:2.52.3-1.el9_8`	RHSA-2026:19206	2026-05-19T00:00:00Z
Red Hat Enterprise Linux 9	`webkit2gtk3-0:2.52.3-0.el9_7.1`	RHSA-2026:9692	2026-04-22T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions	`webkit2gtk3-0:2.52.3-1.el9_0`	RHSA-2026:19535	2026-05-20T00:00:00Z
Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions	`webkit2gtk3-0:2.52.3-1.el9_2`	RHSA-2026:16695	2026-05-13T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support	`webkit2gtk3-0:2.52.3-1.el9_4`	RHSA-2026:14659	2026-05-07T00:00:00Z
Red Hat Enterprise Linux 9.6 Extended Update Support	`webkit2gtk3-0:2.52.3-1.el9_6`	RHSA-2026:11329	2026-04-28T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 6	`webkitgtk`	Out of support scope
Red Hat Enterprise Linux 7	`webkitgtk3`	Not affected
Red Hat Enterprise Linux 7	`webkitgtk4`	Affected

Apply commands

bash fix

Apply RHSA-2026:10702 for Red Hat Enterprise Linux 8

yum update -y webkit2gtk3
# or:
dnf upgrade -y webkit2gtk3

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 7	`Not affected`
redhat	Red Hat Enterprise Linux 7	`Affected`

OS impact

OS	Version	Status	Fixed in
rhel	9	fixed
sles		affected
debian	bookworm	fixed	`2.50.6-1~deb12u1`
debian	bullseye	fixed	`2.50.6-1~deb11u1`
debian	forky	fixed	`2.50.6-1`
debian	sid	fixed	`2.50.6-1`
debian	trixie	fixed	`2.50.6-1~deb13u1`
rocky	9	fixed

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.