WebKitGTK and WPE WebKit Security Advisory WSA-2026-0004
-
Date Reported: July 10, 2026
-
Advisory ID: WSA-2026-0004
-
CVE identifiers: CVE-2024-4367, CVE-2026-39872, CVE-2026-43663, CVE-2026-43676, CVE-2026-43699, CVE-2026-43701, CVE-2026-43705, CVE-2026-43707, CVE-2026-43712, CVE-2026-43713, CVE-2026-43715, CVE-2026-43716, CVE-2026-43720, CVE-2026-43721, CVE-2026-43725, CVE-2026-43726, CVE-2026-43727, CVE-2026-43731, CVE-2026-43732, CVE-2026-43734, CVE-2026-43740, CVE-2026-43742, CVE-2026-43745
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
- CVE-2024-4367
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Thomas Rinsma of Codean Labs.
- Impact: A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. Description: The issue was addressed with improved checks.
- CVE-2026-39872
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Utkarsh Pal, Ignacio Sanmillan (@ulexec).
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 313528
- CVE-2026-43663
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Soyeon Park, Amy Burnett, Khai Tran, sherkito, Kota Toda, HexRabbit (@h3xr4bb1t) and NiNi (@terrynini38514) of DEVCORE Research Team, Using GLM From Z.AI, Tristan Madani (@TristanInSec) from Talence Security, Brian Carpenter.
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 312781
- CVE-2026-43676
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Mateusz Krzywicki (iVerify.io), dr3dd, Tommy DeVoss from Braze Security Team (@thedawgyg).
- Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash. Description: An out-of-bounds access issue was addressed with improved bounds checking.
- WebKit Bugzilla: 317231
- CVE-2026-43699
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Tommy DeVoss from Braze Security Team (@thedawgyg).
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: A use-after-free issue was addressed with improved memory management.
- WebKit Bugzilla: 317227
- CVE-2026-43701
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Aaron Grattafiori - NVIDIA AI Red Team.
- Impact: A malicious website may be able to process restricted web content outside the sandbox. Description: The issue was addressed with improved checks.
- WebKit Bugzilla: 315004
- CVE-2026-43705
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to dr3dd.
- Impact: Processing maliciously crafted web content may lead to memory corruption. Description: A type confusion issue was addressed with improved checks.
- WebKit Bugzilla: 314528
- CVE-2026-43707
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to OpenAI Codex Security - Amy Burnett.
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: A memory corruption issue was addressed with improved memory handling.
- WebKit Bugzilla: 315951
- CVE-2026-43712
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Kwak Kiyong, Song Nuri, Tristan Madani (@TristanInSec) from Talence Security.
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 314235
- CVE-2026-43713
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Jody Ritonga.
- Impact: Visiting a website may leak sensitive data. Description: A permissions issue was addressed with additional restrictions.
- WebKit Bugzilla: 314806
- CVE-2026-43715
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Milad Nasr and Nicholas Carlini with Claude, Anthropic.
- Impact: Processing maliciously crafted web content may lead to memory corruption. Description: A use-after-free issue was addressed with improved memory management.
- WebKit Bugzilla: 313577
- CVE-2026-43716
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Tuan and Duc from Calif.io, OpenAI Codex Security - Amy Burnett, Evan Lambert.
- Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 313473
- CVE-2026-43720
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Gia Bui (@yabeow) from Calif.io, Josef Korbel.
- Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash. Description: A use-after-free issue was addressed with improved memory management.
- WebKit Bugzilla: 313175
- CVE-2026-43721
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Idan Masas.
- Impact: A malicious website may be able to silently hijack clipboard data. Description: This issue was addressed through improved state management.
- WebKit Bugzilla: 313478
- CVE-2026-43725
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Luke Francis.
- Impact: A malicious website may be able to process restricted web content outside the sandbox. Description: The issue was addressed with improved input validation.
- WebKit Bugzilla: 312832
- CVE-2026-43726
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Josef Korbel (Citadelo), Tristan Madani (@TristanInSec) from Talence Security, Gia Bui (@yabeow) from Calif.io, Narendra Singh (@_3P1C).
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: A use-after-free issue was addressed with improved memory management.
- WebKit Bugzilla: 313857
- CVE-2026-43727
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Tommy DeVoss from Braze Security Team (@thedawgyg), Gia Bui (@yabeow) from Calif.io, Gurpreet Shergill.
- Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash. Description: A use-after-free issue was addressed with improved memory management.
- WebKit Bugzilla: 313691
- CVE-2026-43731
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to dr3dd.
- Impact: Processing maliciously crafted web content may lead to memory corruption. Description: A use-after-free issue was addressed with improved memory management.
- WebKit Bugzilla: 314115
- CVE-2026-43732
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Nan Wang (@eternalsakura13).
- Impact: Processing maliciously crafted web content may disclose sensitive user information. Description: A path handling issue was addressed with improved validation.
- WebKit Bugzilla: 313085
- CVE-2026-43734
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Jonathan Alush-Aben.
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: A use-after-free issue was addressed with improved memory management.
- WebKit Bugzilla: 313693
- CVE-2026-43740
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Nathaniel Oh (@calysteon), Arni Hardarson.
- Impact: Processing maliciously crafted web content may result in the disclosure of process memory. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 308046
- CVE-2026-43742
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to Юлия Мерцалова.
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: A use-after-free issue was addressed with improved memory management.
- WebKit Bugzilla: 315161
- CVE-2026-43745
- Versions affected: WebKitGTK and WPE WebKit before 2.52.5.
- Credit to OpenAI Codex Security - Amy Burnett, Khai Tran.
- Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash. Description: An out-of-bounds write issue was addressed with improved input validation.
- WebKit Bugzilla: 315365
We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.
Further information about WebKitGTK and WPE WebKit security advisories can be found at: webkitgtk.org/security.html or wpewebkit.org/security.