Alpine: multiple qt6-qtwebengine packages: security update to 6.8.2-r3

critical Tenable Self-Hosted Container Security Plugin ID 427796

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This
issue is fixed in Safari 18.3.1, iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.2
and iPadOS 18.3.2, iPadOS 17.7.6, macOS Sequoia 15.3.2, visionOS 2.3.2, watchOS 11.4. Maliciously crafted
web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack
that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an
extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).
(CVE-2025-24201)

- 7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability. This vulnerability
allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with
this library is required to exploit this vulnerability but attack vectors may vary depending on the
implementation. The specific flaw exists within the implementation of Zstandard decompression. The issue
results from the lack of proper validation of user-supplied data, which can result in an integer underflow
before writing to memory. An attacker can leverage this vulnerability to execute code in the context of
the current process. Was ZDI-CAN-24346. (CVE-2024-11477)

- Out of bounds memory access in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to
execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
(CVE-2024-12693)

- Use after free in Compositing in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to
potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
(CVE-2024-12694)

- xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result
prefixes. (CVE-2024-55549)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-11477

https://security.alpinelinux.org/vuln/CVE-2024-12693

https://security.alpinelinux.org/vuln/CVE-2024-12694

https://security.alpinelinux.org/vuln/CVE-2024-55549

https://security.alpinelinux.org/vuln/CVE-2025-0436

https://security.alpinelinux.org/vuln/CVE-2025-0437

https://security.alpinelinux.org/vuln/CVE-2025-0438

https://security.alpinelinux.org/vuln/CVE-2025-0441

https://security.alpinelinux.org/vuln/CVE-2025-0443

https://security.alpinelinux.org/vuln/CVE-2025-0447

https://security.alpinelinux.org/vuln/CVE-2025-0611

https://security.alpinelinux.org/vuln/CVE-2025-0762

https://security.alpinelinux.org/vuln/CVE-2025-0996

https://security.alpinelinux.org/vuln/CVE-2025-0998

https://security.alpinelinux.org/vuln/CVE-2025-0999

https://security.alpinelinux.org/vuln/CVE-2025-1006

https://security.alpinelinux.org/vuln/CVE-2025-1426

https://security.alpinelinux.org/vuln/CVE-2025-1915

https://security.alpinelinux.org/vuln/CVE-2025-1918

https://security.alpinelinux.org/vuln/CVE-2025-1919

https://security.alpinelinux.org/vuln/CVE-2025-1921

https://security.alpinelinux.org/vuln/CVE-2025-2136

https://security.alpinelinux.org/vuln/CVE-2025-24201

https://security.alpinelinux.org/vuln/CVE-2025-24855

https://security.alpinelinux.org/vuln/CVE-2025-2783

https://security.alpinelinux.org/vuln/CVE-2025-3071

https://security.alpinelinux.org/vuln/CVE-2025-3619

Plugin Details

Severity: Critical

ID: 427796

Version: Revision 1.16

Type: Local

Published: 5/30/2025

Updated: 6/1/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Critical

Score: 9.3

Percentile: 99.81

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-24201

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 11/21/2024

CISA Known Exploited Vulnerability Due Dates: 4/3/2025, 4/17/2025

Reference Information

CVE: CVE-2024-11477, CVE-2024-12693, CVE-2024-12694, CVE-2024-55549, CVE-2025-0436, CVE-2025-0437, CVE-2025-0438, CVE-2025-0441, CVE-2025-0443, CVE-2025-0447, CVE-2025-0611, CVE-2025-0762, CVE-2025-0996, CVE-2025-0999, CVE-2025-1006, CVE-2025-1426, CVE-2025-1915, CVE-2025-1918, CVE-2025-1919, CVE-2025-1921, CVE-2025-2136, CVE-2025-24201, CVE-2025-24855, CVE-2025-2783, CVE-2025-3071, CVE-2025-3619