planet.webkitgtk.org
webkit.org
GNOME.org
WebKitGTK

WebKitGTK and WPE WebKit Security Advisory WSA-2026-0001

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

  • CVE-2023-43010
    • Versions affected: WebKitGTK and WPE WebKit before 2.44.0.
    • Credit to Apple.
    • Impact: Processing maliciously crafted web content may lead to memory corruption. This fix associated with the Coruna exploit was shipped in iOS 17.2 on December 11th, 2023. This update brings that fix to devices that cannot update to the latest iOS version. Description: The issue was addressed with improved memory handling.
    • WebKit Bugzilla: 260913
  • CVE-2025-31223
    • Versions affected: WebKitGTK and WPE WebKit before 2.50.0.
    • Credit to Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs.
    • Impact: Processing maliciously crafted web content may lead to memory corruption. Description: The issue was addressed with improved checks.
    • WebKit Bugzilla: 289387
  • CVE-2025-31277
    • Versions affected: WebKitGTK and WPE WebKit before 2.50.0.
    • Credit to Yuhao Hu, Yan Kang, Chenggang Wu, and Xiaojie Wei.
    • Impact: Processing maliciously crafted web content may lead to memory corruption. Description: The issue was addressed with improved memory handling.
    • WebKit Bugzilla: 291745
  • CVE-2025-43213
    • Versions affected: WebKitGTK and WPE WebKit before 2.50.5.
    • Credit to Google V8 Security Team.
    • Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash. Description: The issue was addressed with improved memory handling.
    • WebKit Bugzilla: 292621
  • CVE-2025-43214
    • Versions affected: WebKitGTK and WPE WebKit before 2.50.5.
    • Credit to shandikri working with Trend Micro Zero Day Initiative, Google V8 Security Team.
    • Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash. Description: The issue was addressed with improved memory handling.
    • WebKit Bugzilla: 292599
  • CVE-2025-43433
    • Versions affected: WebKitGTK and WPE WebKit before 2.50.2.
    • Credit to Google Big Sleep.
    • Impact: Processing maliciously crafted web content may lead to memory corruption. Description: The issue was addressed with improved memory handling.
    • WebKit Bugzilla: 298093
  • CVE-2025-43438
    • Versions affected: WebKitGTK and WPE WebKit before 2.50.2.
    • Credit to rheza (@ginggilBesel), shandikri working with Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash. Description: A use-after-free issue was addressed with improved memory management.
    • WebKit Bugzilla: 297662
  • CVE-2025-43441
    • Versions affected: WebKitGTK and WPE WebKit before 2.50.2.
    • Credit to rheza (@ginggilBesel).
    • Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling.
    • WebKit Bugzilla: 298496
  • CVE-2025-43457
    • Versions affected: WebKitGTK and WPE WebKit before 2.50.6.
    • Credit to Gary Kwong, Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative.
    • Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash. Description: A use-after-free issue was addressed with improved memory management.
    • WebKit Bugzilla: 298606
  • CVE-2025-43511
    • Versions affected: WebKitGTK and WPE WebKit before 2.50.5.
    • Credit to 이동하 (Lee Dong Ha of BoB 14th).
    • Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: A use-after-free issue was addressed with improved memory management.
    • WebKit Bugzilla: 300926
  • CVE-2025-46299
    • Versions affected: WebKitGTK and WPE WebKit before 2.52.0.
    • Credit to Google Big Sleep.
    • Impact: Processing maliciously crafted web content may disclose internal states of the app. Description: A memory initialization issue was addressed with improved memory handling.
    • WebKit Bugzilla: 299518
  • CVE-2026-20608
    • Versions affected: WebKitGTK and WPE WebKit before 2.50.6.
    • Credit to HanQing from TSDubhe and Nan Wang (@eternalsakura13).
    • Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: This issue was addressed through improved state management.
    • WebKit Bugzilla: 303357
  • CVE-2026-20635
    • Versions affected: WebKitGTK and WPE WebKit before 2.50.6.
    • Credit to EntryHi.
    • Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling.
    • WebKit Bugzilla: 304661
  • CVE-2026-20636
    • Versions affected: WebKitGTK and WPE WebKit before 2.50.6.
    • Credit to EntryHi.
    • Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling.
    • WebKit Bugzilla: 304657
  • CVE-2026-20644
    • Versions affected: WebKitGTK and WPE WebKit before 2.50.6.
    • Credit to HanQing from TSDubhe and Nan Wang (@eternalsakura13).
    • Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling.
    • WebKit Bugzilla: 303444
  • CVE-2026-20652
    • Versions affected: WebKitGTK and WPE WebKit before 2.50.6.
    • Credit to Nathaniel Oh (@calysteon).
    • Impact: A remote attacker may be able to cause a denial-of-service. Description: The issue was addressed with improved memory handling.
    • WebKit Bugzilla: 303959
  • CVE-2026-20676
    • Versions affected: WebKitGTK and WPE WebKit before 2.50.6.
    • Credit to Tom Van Goethem.
    • Impact: A website may be able to track users through Safari web extensions. Description: This issue was addressed through improved state management.
    • WebKit Bugzilla: 305020

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: webkitgtk.org/security.html or wpewebkit.org/security.

Latest News
Security Advisories
Releases
Documentation
Contact
Contribute