Alpine: multiple qt5-qtwebengine packages: security update to 5.15.17-r7

critical Tenable Self-Hosted Container Security Plugin ID 426560

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This
issue is fixed in Safari 18.3.1, iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.2
and iPadOS 18.3.2, iPadOS 17.7.6, macOS Sequoia 15.3.2, visionOS 2.3.2, watchOS 11.4. Maliciously crafted
web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack
that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an
extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).
(CVE-2025-24201)

- 7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability. This vulnerability
allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with
this library is required to exploit this vulnerability but attack vectors may vary depending on the
implementation. The specific flaw exists within the implementation of Zstandard decompression. The issue
results from the lack of proper validation of user-supplied data, which can result in an integer underflow
before writing to memory. An attacker can leverage this vulnerability to execute code in the context of
the current process. Was ZDI-CAN-24346. (CVE-2024-11477)

- Use after free in Compositing in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to
potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
(CVE-2024-12694)

- xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result
prefixes. (CVE-2024-55549)

- Integer overflow in Skia in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially
exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2025-0436)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-11477

https://security.alpinelinux.org/vuln/CVE-2024-12694

https://security.alpinelinux.org/vuln/CVE-2024-55549

https://security.alpinelinux.org/vuln/CVE-2025-0436

https://security.alpinelinux.org/vuln/CVE-2025-0762

https://security.alpinelinux.org/vuln/CVE-2025-0996

https://security.alpinelinux.org/vuln/CVE-2025-0999

https://security.alpinelinux.org/vuln/CVE-2025-1426

https://security.alpinelinux.org/vuln/CVE-2025-1919

https://security.alpinelinux.org/vuln/CVE-2025-2136

https://security.alpinelinux.org/vuln/CVE-2025-24201

https://security.alpinelinux.org/vuln/CVE-2025-24855

https://security.alpinelinux.org/vuln/CVE-2025-2783

https://security.alpinelinux.org/vuln/CVE-2025-3619

Plugin Details

Severity: Critical

ID: 426560

Version: Revision 1.13

Type: Local

Published: 5/16/2025

Updated: 6/1/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Critical

Score: 9.3

Percentile: 99.81

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-24201

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 11/21/2024

CISA Known Exploited Vulnerability Due Dates: 4/3/2025, 4/17/2025

Reference Information

CVE: CVE-2024-11477, CVE-2024-12694, CVE-2024-55549, CVE-2025-0436, CVE-2025-0762, CVE-2025-0996, CVE-2025-0999, CVE-2025-1426, CVE-2025-1919, CVE-2025-2136, CVE-2025-24201, CVE-2025-24855, CVE-2025-2783, CVE-2025-3619