CVE-2026-20644
WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.
Security Fix(es):
- webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43213)
- webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43214)
- webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash (CVE-2025-43457)
- webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2025-43511)
- webkitgtk: Processing maliciously crafted web content may disclose internal states of the app (CVE-2025-46299)
- webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20608)
- webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20635)
- webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20636)
- webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20644)
- webkitgtk: A remote attacker may be able to cause a denial-of-service (CVE-2026-20652)
- webkitgtk: A website may be able to track users through Safari web extensions (CVE-2026-20676)
- webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy (CVE-2026-20643)
- webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-20664)
- webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2026-20665)
- webkitgtk: A maliciously crafted webpage may be able to fingerprint the user (CVE-2026-20691)
- webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2026-28857)
- webkitgtk: A malicious website may be able to process restricted web content outside the sandbox (CVE-2026-28859)
- webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack (CVE-2026-28871)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://access.redhat.com/errata/RHSA-2026:9692, https://access.redhat.com/security/cve/CVE-2025-43213, https://access.redhat.com/security/cve/CVE-2025-43214, https://access.redhat.com/security/cve/CVE-2025-43457, https://access.redhat.com/security/cve/CVE-2025-43511, https://access.redhat.com/security/cve/CVE-2025-46299, https://access.redhat.com/security/cve/CVE-2026-20608, https://access.redhat.com/security/cve/CVE-2026-20635, https://access.redhat.com/security/cve/CVE-2026-20636, https://access.redhat.com/security/cve/CVE-2026-20643, https://access.redhat.com/security/cve/CVE-2026-20644, https://access.redhat.com/security/cve/CVE-2026-20652, https://access.redhat.com/security/cve/CVE-2026-20664, https://access.redhat.com/security/cve/CVE-2026-20665, https://access.redhat.com/security/cve/CVE-2026-20676, https://access.redhat.com/security/cve/CVE-2026-20691, https://access.redhat.com/security/cve/CVE-2026-28857, https://access.redhat.com/security/cve/CVE-2026-28859, https://access.redhat.com/security/cve/CVE-2026-28871
Basic Information
