Detections
Analytics

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : webkit2gtk3 (SUSE-SU-2026:0021-1)

high Nessus Plugin ID 281839

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0021-1 advisory.

 Update to version 2.50.4.

 Security issues fixed:

 - CVE-2025-13502: processing of maliciously crafted payloads by the GLib remote inspector server may lead to a UIProcess crash due to an out-of-bounds read and an integer underflow (bsc#1254208).
 - CVE-2025-13947: use of the file drag-and-drop mechanism may lead to remote information disclosure due to a lack of verification of the origins of drag operations (bsc#1254473).
 - CVE-2025-14174: processing maliciously crafted web content may lead to memory corruption due to improper validation (bsc#1255497).
 - CVE-2025-43392: websites may exfiltrate image data cross-origin due to issues with cache handling (bsc#1254165).
 - CVE-2025-43421: processing maliciously crafted web content may lead to an unexpected process crash due to enabled array allocation sinking (bsc#1254167).
 - CVE-2025-43425: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1254168).
 - CVE-2025-43427: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254169).
 - CVE-2025-43429: processing maliciously crafted web content may lead to an unexpected process crash due to a buffer overflow issue (bsc#1254174).
 - CVE-2025-43430: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254172).
 - CVE-2025-43431: processing maliciously crafted web content may lead to memory corruption due to improper memory handling (bsc#1254170).
 - CVE-2025-43432: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1254171).
 - CVE-2025-43434: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1254179).
 - CVE-2025-43440: processing maliciously crafted web content may lead to an unexpected process crash due to missing checks (bsc#1254177).
 - CVE-2025-43443: processing maliciously crafted web content may lead to an unexpected process crash due to missing checks (bsc#1254176).
 - CVE-2025-43458: processing maliciously crafted web content may lead to an unexpected process crash due to issues with state management (bsc#1254498).
 - CVE-2025-43501: processing maliciously crafted web content may lead to an unexpected process crash due to a buffer overflow issue (bsc#1255194).
 - CVE-2025-43529: processing maliciously crafted web content may lead to arbitrary code execution due to a use-after-free issue (bsc#1255198).
 - CVE-2025-43531: processing maliciously crafted web content may lead to an unexpected process crash due to a race condition (bsc#1255183).
 - CVE-2025-43535: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1255195).
 - CVE-2025-43536: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after-free issue (bsc#1255200).
 - CVE-2025-43541: processing maliciously crafted web content may lead to an unexpected process crash due to type confusion (bsc#1255191).
 - CVE-2025-66287: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1254509).

 Other issues fixed and changes:

 - Version 2.50.4:
 * Correctly handle the program name passed to the sleep disabler.
 * Ensure GStreamer is initialized before using the Quirks.
 * Fix several crashes and rendering issues.

 - Version 2.50.3:
 * Fix seeking and looping of media elements that set the 'loop' property.
 * Fix several crashes and rendering issues.

 - Version 2.50.2:
 * Prevent unsafe URI schemes from participating in media playback.
 * Make jsc_value_array_buffer_get_data() function introspectable.
 * Fix logging in to Google accounts that have a WebAuthn second factor configured.
 * Fix loading webkit://gpu when there are no threads configured for GPU rendering.
 * Fix rendering gradiants that use the CSS hue interpolation method.
 * Fix pasting image data from the clipboard.
 * Fix font-family selection when the font name contains spaces.
 * Fix the build with standard C libraries that lack execinfo.h, like Musl or uClibc.
 * Fix capturing canvas snapshots in the Web Inspector.
 * Fix several crashes and rendering issues.

 - Fix a11y regression where AT-SPI roles were mapped incorrectly.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1254164

https://bugzilla.suse.com/1254165

https://bugzilla.suse.com/1254166

https://bugzilla.suse.com/1254167

https://bugzilla.suse.com/1254168

https://bugzilla.suse.com/1254169

https://bugzilla.suse.com/1254170

https://bugzilla.suse.com/1254171

https://bugzilla.suse.com/1254172

https://bugzilla.suse.com/1254174

https://bugzilla.suse.com/1254175

https://bugzilla.suse.com/1254176

https://bugzilla.suse.com/1254177

https://bugzilla.suse.com/1254179

https://bugzilla.suse.com/1254208

https://bugzilla.suse.com/1254473

https://bugzilla.suse.com/1254498

https://bugzilla.suse.com/1254509

https://bugzilla.suse.com/1255183

https://bugzilla.suse.com/1255191

https://bugzilla.suse.com/1255194

https://bugzilla.suse.com/1255195

https://bugzilla.suse.com/1255198

https://bugzilla.suse.com/1255200

https://bugzilla.suse.com/1255497

http://www.nessus.org/u?82c8e1bc

https://www.suse.com/security/cve/CVE-2023-43000

https://www.suse.com/security/cve/CVE-2025-13502

https://www.suse.com/security/cve/CVE-2025-13947

https://www.suse.com/security/cve/CVE-2025-14174

https://www.suse.com/security/cve/CVE-2025-43392

https://www.suse.com/security/cve/CVE-2025-43419

https://www.suse.com/security/cve/CVE-2025-43421

https://www.suse.com/security/cve/CVE-2025-43425

https://www.suse.com/security/cve/CVE-2025-43427

https://www.suse.com/security/cve/CVE-2025-43429

https://www.suse.com/security/cve/CVE-2025-43430

https://www.suse.com/security/cve/CVE-2025-43431

https://www.suse.com/security/cve/CVE-2025-43432

https://www.suse.com/security/cve/CVE-2025-43434

https://www.suse.com/security/cve/CVE-2025-43440

https://www.suse.com/security/cve/CVE-2025-43443

https://www.suse.com/security/cve/CVE-2025-43458

https://www.suse.com/security/cve/CVE-2025-43480

https://www.suse.com/security/cve/CVE-2025-43501

https://www.suse.com/security/cve/CVE-2025-43529

https://www.suse.com/security/cve/CVE-2025-43531

https://www.suse.com/security/cve/CVE-2025-43535

https://www.suse.com/security/cve/CVE-2025-43536

https://www.suse.com/security/cve/CVE-2025-43541

https://www.suse.com/security/cve/CVE-2025-66287

Plugin Details

Severity: High

ID: 281839

File Name: suse_SU-2026-0021-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 1/6/2026

Updated: 1/6/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-66287

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:webkit2gtk4-devel, p-cpe:/a:novell:suse_linux:typelib-1_0-webkit2-4_1, p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0-37, p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles, p-cpe:/a:novell:suse_linux:typelib-1_0-webkit-6_0, p-cpe:/a:novell:suse_linux:typelib-1_0-webkit2-4_0, p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0-18, p-cpe:/a:novell:suse_linux:webkitgtk-6_0-injected-bundles, p-cpe:/a:novell:suse_linux:libwebkitgtk-6_0-4, p-cpe:/a:novell:suse_linux:typelib-1_0-javascriptcore-4_1, p-cpe:/a:novell:suse_linux:typelib-1_0-webkit2webextension-4_0, p-cpe:/a:novell:suse_linux:webkit2gtk-4_1-injected-bundles, p-cpe:/a:novell:suse_linux:webkit2gtk3-soup2-devel, p-cpe:/a:novell:suse_linux:webkit2gtk3-devel, p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-6_0-1, p-cpe:/a:novell:suse_linux:webkitgtk-4.0-lang, p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_1-0, p-cpe:/a:novell:suse_linux:typelib-1_0-webkitwebprocessextension-6_0, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_1-0, p-cpe:/a:novell:suse_linux:typelib-1_0-webkit2webextension-4_1, p-cpe:/a:novell:suse_linux:typelib-1_0-javascriptcore-6_0, p-cpe:/a:novell:suse_linux:webkitgtk-4.1-lang, p-cpe:/a:novell:suse_linux:webkitgtk-6.0-lang, p-cpe:/a:novell:suse_linux:typelib-1_0-javascriptcore-4_0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/5/2026

Vulnerability Publication Date: 1/22/2024

CISA Known Exploited Vulnerability Due Dates: 1/2/2026, 1/5/2026

Reference Information

CVE: CVE-2023-43000, CVE-2025-13502, CVE-2025-13947, CVE-2025-14174, CVE-2025-43392, CVE-2025-43419, CVE-2025-43421, CVE-2025-43425, CVE-2025-43427, CVE-2025-43429, CVE-2025-43430, CVE-2025-43431, CVE-2025-43432, CVE-2025-43434, CVE-2025-43440, CVE-2025-43443, CVE-2025-43458, CVE-2025-43480, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531, CVE-2025-43535, CVE-2025-43536, CVE-2025-43541, CVE-2025-66287

SuSE: SUSE-SU-2026:0021-1