SB2026032446 - Anolis OS update for webkitgtk



SB2026032446 - Anolis OS update for webkitgtk

Published: March 24, 2026

Security Bulletin ID SB2026032446
CSH Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 17% Medium 33% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2025-13947)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output in WebKit. A remote attacker can trick the victim into visiting a specially crafted website and exfiltrate system information. 


2) Information disclosure (CVE-ID: CVE-2025-24143)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to fingerprint users.

The vulnerability exists due to excessive data output by WebKit. A remote attacker can trick the victim into visiting a specially crafted website and fingerprint the user.


3) Buffer overflow (CVE-ID: CVE-2025-43429)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and crash the browser.


4) Buffer overflow (CVE-ID: CVE-2025-43431)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into visiting a specially crafted website. trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


5) Use after free (CVE-ID: CVE-2025-43434)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim into opening a specially crafted file and perform an unexpected Safari crash.


6) Buffer overflow (CVE-ID: CVE-2025-66287)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to crash the browser.

The vulnerability exists due to a boundary error when HTML content in WebKit. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and crash the browser.


Remediation

Install update from vendor's website.