SB2026051204 - Multiple vulnerabilities in WebKitGTK+ and WPE WebKit

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026051204

SB2026051204 - Multiple vulnerabilities in WebKitGTK+ and WPE WebKit

Published: May 12, 2026

Security Bulletin ID SB2026051204
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 20
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 20% Low 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 20 vulnerabilities.


1) Memory corruption (CVE-ID: CVE-2026-28903)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.


2) Protection Mechanism Failure (CVE-ID: CVE-2026-43660)

The vulnerability allows a remote attacker to prevent CSP enforcement.

The vulnerability exists due to insufficient implementation of security measures in WebKit. A remote attacker can trick the victim into visiting a specially crafted website and prevent Content Security Policy from being enforced.


3) Protection Mechanism Failure (CVE-ID: CVE-2026-28907)

The vulnerability allows a remote attacker to prevent CSP enforcement.

The vulnerability exists due to insufficient implementation of security measures in WebKit. A remote attacker can trick the victim into visiting a specially crafted website and prevent Content Security Policy from being enforced.


4) Improper access control (CVE-ID: CVE-2026-28962)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper access restrictions in WebKit when rendering content. A remote attacker can trick the victim into visiting a specially crafted website and gain access to sensitive information. 


5) Memory corruption (CVE-ID: CVE-2026-43658)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.


6) Memory corruption (CVE-ID: CVE-2026-28905)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.


7) Memory corruption (CVE-ID: CVE-2026-28847)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.


8) Memory corruption (CVE-ID: CVE-2026-28904)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.


9) Memory corruption (CVE-ID: CVE-2026-28955)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.


10) Memory corruption (CVE-ID: CVE-2026-28953)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.


11) Protection Mechanism Failure (CVE-ID: CVE-2026-28971)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. A malicious iframe may use another website’s download settings, which can lead to browser's UI spoofing. 


12) Memory corruption (CVE-ID: CVE-2026-28902)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.


13) Memory corruption (CVE-ID: CVE-2026-28901)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.


14) Memory corruption (CVE-ID: CVE-2026-28913)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.


15) Use after free (CVE-ID: CVE-2026-28883)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.


16) Exposure of sensitive information to an unauthorized actor (CVE-ID: CVE-2026-28958)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to excessive data output in WebKit. A local application can access sensitive user data.


17) Improper input validation (CVE-ID: CVE-2026-28917)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected process crash.


18) Use after free (CVE-ID: CVE-2026-28947)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.


19) Use after free (CVE-ID: CVE-2026-28946)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.


20) Use after free (CVE-ID: CVE-2026-28942)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim into opening a specially crafted website and perform an unexpected Safari crash.


Remediation

Install update from vendor's website.

References