Detections
Analytics

SUSE SLES15 Security Update : webkit2gtk3 (SUSE-SU-2026:2378-1)

high Nessus Plugin ID 321066

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2378-1 advisory.

 This update for webkit2gtk3 fixes the following issues

 Update to version 2.52.4:

 - CVE-2026-28847: processing maliciously crafted web content may lead to an unexpected process crash or arbitrary code execution due to a heap buffer overflow (bsc#1267506).
 - CVE-2026-28883: processing maliciously crafted web content may lead to an unexpected process crash due to a use-after- free issue (bsc#1267507).
 - CVE-2026-28901: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1267508).
 - CVE-2026-28902: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1267509).
 - CVE-2026-28903: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1267510).
 - CVE-2026-28904: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1267511).
 - CVE-2026-28905: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1267512).
 - CVE-2026-28907: processing maliciously crafted web content may prevent Content Security Policy from being enforced due to improper input validation (bsc#1267513).
 - CVE-2026-28942: processing maliciously crafted web content may lead to an unexpected crash due to use- after-free (bsc#1267514).
 - CVE-2026-28946: processing maliciously crafted web content may lead to an unexpected crash due to a use- after-free (bsc#1267515).
 - CVE-2026-28947: rocessing maliciously crafted web content may lead to an unexpected crash due to a use- after-free (bsc#1267516).
 - CVE-2026-28953: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1267517).
 - CVE-2026-28955: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1267518).
 - CVE-2026-28958: an app may be able to access sensitive user data due to improper data protection (bsc#1267519).
 - CVE-2026-43658: processing maliciously crafted web content may lead to an unexpected crash due to improper memory handling (bsc#1267520).
 - CVE-2026-43660: processing maliciously crafted web content may prevent Content Security Policy from being enforced due to issues with logic (bsc#1267521).

 Changes:

 - Add support for half-width fonts.
 + Improve content filter compilation by avoiding file copies.
 + Improve handling of out of disk space conditions when the NetworkProcess tried to write data in caches.
 + Improve how the CMake build system checks whether libatomic is required.
 + Fix painting scrollbars when their width changes.
 + Fix playback of certain YouTube videos with low frame rates.
 + Fix webkit://gpu not working in systems where neither libGL.so.1 nor libOpenGL.so.0 are available.
 + Fix the build with librice 0.4 or newer when the GStreamer WebRTC backend is enabled at build configuration time.
 + Fix the build with USE_GSTREAMER_WEBRTC=OFF.
 + Fix the build with USE_GBM=OFF.
 + Fix several crashes and rendering issues.
 + Add support for the 'scrollbar-color' CSS property.
 + Fix some emoji glyphs being rendered as missing glyph boxes.
 + Fix JavaScriptCore crashes on architectures other than x86_64.
 + Fix the build on s390x.
 + Changes in version 2.52.2:
 + Improve handling of real-time threads.
 + Fix scrollbar rendering glitches visible in some GPU configurations.
 + Fix V4L2 hardware accelerated media codecs now working due to overly restrictive sandbox device access rules.
 + Fix leak of bitmap images in webkit_favicon_database_get_favicon_finish().
 + Fix the build with USE_GTK4=OFF.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1267506

https://bugzilla.suse.com/1267507

https://bugzilla.suse.com/1267508

https://bugzilla.suse.com/1267509

https://bugzilla.suse.com/1267510

https://bugzilla.suse.com/1267511

https://bugzilla.suse.com/1267512

https://bugzilla.suse.com/1267513

https://bugzilla.suse.com/1267514

https://bugzilla.suse.com/1267515

https://bugzilla.suse.com/1267516

https://bugzilla.suse.com/1267517

https://bugzilla.suse.com/1267518

https://bugzilla.suse.com/1267519

https://bugzilla.suse.com/1267520

https://bugzilla.suse.com/1267521

https://lists.suse.com/pipermail/sle-updates/2026-June/047260.html

https://www.suse.com/security/cve/CVE-2026-28847

https://www.suse.com/security/cve/CVE-2026-28883

https://www.suse.com/security/cve/CVE-2026-28901

https://www.suse.com/security/cve/CVE-2026-28902

https://www.suse.com/security/cve/CVE-2026-28903

https://www.suse.com/security/cve/CVE-2026-28904

https://www.suse.com/security/cve/CVE-2026-28905

https://www.suse.com/security/cve/CVE-2026-28907

https://www.suse.com/security/cve/CVE-2026-28942

https://www.suse.com/security/cve/CVE-2026-28946

https://www.suse.com/security/cve/CVE-2026-28947

https://www.suse.com/security/cve/CVE-2026-28953

https://www.suse.com/security/cve/CVE-2026-28955

https://www.suse.com/security/cve/CVE-2026-28958

https://www.suse.com/security/cve/CVE-2026-43658

https://www.suse.com/security/cve/CVE-2026-43660

Plugin Details

Severity: High

ID: 321066

File Name: suse_SU-2026-2378-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/14/2026

Updated: 6/14/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-28947

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:typelib-1_0-webkit2-4_1, p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0-37, p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles, p-cpe:/a:novell:suse_linux:typelib-1_0-webkit2-4_0, p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0-18, p-cpe:/a:novell:suse_linux:webkitgtk-6_0-injected-bundles, p-cpe:/a:novell:suse_linux:libwebkitgtk-6_0-4, p-cpe:/a:novell:suse_linux:typelib-1_0-javascriptcore-4_1, p-cpe:/a:novell:suse_linux:typelib-1_0-webkit2webextension-4_0, p-cpe:/a:novell:suse_linux:webkit2gtk-4_1-injected-bundles, p-cpe:/a:novell:suse_linux:webkit2gtk3-soup2-devel, p-cpe:/a:novell:suse_linux:webkit2gtk3-devel, p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-6_0-1, p-cpe:/a:novell:suse_linux:webkitgtk-4.0-lang, p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_1-0, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_1-0, p-cpe:/a:novell:suse_linux:typelib-1_0-webkit2webextension-4_1, p-cpe:/a:novell:suse_linux:webkitgtk-4.1-lang, p-cpe:/a:novell:suse_linux:webkitgtk-6.0-lang, p-cpe:/a:novell:suse_linux:typelib-1_0-javascriptcore-4_0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/11/2026

Vulnerability Publication Date: 5/11/2026

Reference Information

CVE: CVE-2026-28847, CVE-2026-28883, CVE-2026-28901, CVE-2026-28902, CVE-2026-28903, CVE-2026-28904, CVE-2026-28905, CVE-2026-28907, CVE-2026-28942, CVE-2026-28946, CVE-2026-28947, CVE-2026-28953, CVE-2026-28955, CVE-2026-28958, CVE-2026-43658, CVE-2026-43660

SuSE: SUSE-SU-2026:2378-1