The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:4416-1 advisory.

    Update to version 2.50.3.

    Security issues fixed:

    - CVE-2025-13502: processing of maliciously crafted payloads by the GLib remote inspector server may lead     to a       UIProcess crash due to an out-of-bounds read and an integer underflow (bsc#1254208).
    - CVE-2025-13947: use of the file drag-and-drop mechanism may lead to remote information disclosure due to     a lack of       verification of the origins of drag operations (bsc#1254473).
    - CVE-2025-43392: websites may exfiltrate image data cross-origin due to issues with cache handling     (bsc#1254165).
    - CVE-2025-43421: processing maliciously crafted web content may lead to an unexpected process crash due     to enabled       array allocation sinking (bsc#1254167).
    - CVE-2025-43425: processing maliciously crafted web content may lead to an unexpected process crash due     to improper       memory handling (bsc#1254168).
    - CVE-2025-43427: processing maliciously crafted web content may lead to an unexpected process crash due     to issues with       state management (bsc#1254169).
    - CVE-2025-43429: processing maliciously crafted web content may lead to an unexpected process crash due     to a buffer       overflow issue (bsc#1254174).
    - CVE-2025-43430: processing maliciously crafted web content may lead to an unexpected process crash due     to issues with       state management (bsc#1254172).
    - CVE-2025-43431: processing maliciously crafted web content may lead to memory corruption due to improper     memory       handling (bsc#1254170).
    - CVE-2025-43432: processing maliciously crafted web content may lead to an unexpected process crash due     to a       use-after-free issue (bsc#1254171).
    - CVE-2025-43434: processing maliciously crafted web content may lead to an unexpected process crash due     to a       use-after-free issue (bsc#1254179).
    - CVE-2025-43440: processing maliciously crafted web content may lead to an unexpected process crash due     to missing       checks (bsc#1254177).
    - CVE-2025-43443: processing maliciously crafted web content may lead to an unexpected process crash due     to missing       checks (bsc#1254176).
    - CVE-2025-43458: processing maliciously crafted web content may lead to an unexpected process crash due     to issues with       state management (bsc#1254498).
    - CVE-2025-66287: processing maliciously crafted web content may lead to an unexpected process crash due     to improper       memory handling (bsc#1254509).

    Other issues fixed and changes:

    - Version 2.50.3:
      * Fix seeking and looping of media elements that set the 'loop' property.
      * Fix several crashes and rendering issues.
    - Version 2.50.2:
      * Prevent unsafe URI schemes from participating in media playback.
      * Make jsc_value_array_buffer_get_data() function introspectable.
      * Fix logging in to Google accounts that have a WebAuthn second factor configured.
      * Fix loading webkit://gpu when there are no threads configured for GPU rendering.
      * Fix rendering gradiants that use the CSS hue interpolation method.
      * Fix pasting image data from the clipboard.
      * Fix font-family selection when the font name contains spaces.
      * Fix the build with standard C libraries that lack execinfo.h, like Musl or uClibc.
      * Fix capturing canvas snapshots in the Web Inspector.
      * Fix several crashes and rendering issues.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

SUSE SLES15 Security Update : webkit2gtk3 (SUSE-SU-2025:4416-1)

high Nessus Plugin ID 278944

Version 1.3

Version 1.2

Version 1.1

Version 1.3 Mar 17, 2026, 4:16 PM CVSSv2 score source (changed from "CVE-2025-66287" to "CVE-2023-43000") Plugin Feed: 202603171616
Version 1.2 Mar 7, 2026, 12:24 AM CISA reference CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202603070024
Version 1.1 Dec 17, 2025, 4:56 PM New Plugin Feed: 202512171656