SUSE-SU-2026:21180-1

This update for webkit2gtk3 fixes the following issues:

Update to version 2.52.1.

Security issues fixed:

• CVE-2025-43213: processing maliciously crafted web content may lead to an unexpected crash due to improper memory handling (bsc#1259947).
• CVE-2025-43214: processing maliciously crafted web content may lead to an unexpected crash due to improper memory handling (bsc#1259946).
• CVE-2025-43457: processing maliciously crafted web content may lead to an unexpected crash due to use-after-free (bsc#1259942).
• CVE-2025-43511: processing maliciously crafted web content may lead to an unexpected process crash due to use-after-free (bsc#1259941).
• CVE-2025-46299: processing maliciously crafted web content may disclose internal states of an app due to improper memory initialization (bsc#1259940).
• CVE-2026-20608: processing maliciously crafted web content may lead to an unexpected process crash due to improper state management (bsc#1259939).
• CVE-2026-20635: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1259938).
• CVE-2026-20636: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1259937).
• CVE-2026-20643: processing maliciously crafted web content may bypass Same Origin Policy due to improper input validation (bsc#1261172).
• CVE-2026-20644: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1259936).
• CVE-2026-20652: a remote attacker may be able to cause a denial-of-service due to improper memory handling (bsc#1259935).
• CVE-2026-20664: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1261173).
• CVE-2026-20665: processing maliciously crafted web content may prevent Content Security Policy from being enforced due to improper state management (bsc#1261174).
• CVE-2026-20676: a website may be able to track users through web extensions due to improper state management (bsc#1259934).
• CVE-2026-20691: a maliciously crafted webpage may be able to fingerprint users due to improper state management (bsc#1261175).
• CVE-2026-28857: processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling (bsc#1261176).
• CVE-2026-28859: a malicious website may be able to process restricted web content outside the sandbox due to improper memory management (bsc#1261177).
• CVE-2026-28861: a malicious website may be able to access script message handlers intended for other origins due to improper state management (bsc#1261178).
• CVE-2026-28871: visiting a maliciously crafted website may lead to a cross-site scripting attack due to missing checks (bsc#1261179).

Other updates and bugfixes:

• Version 2.52.1:

  • Reduce the amount of useless MPRIS notifications produced by MediaSession when the information about media being played is incomplete.
  • Support turning off USE_GSTREAMER to configure the build with all multimedia features disabled.
  • Add Sysprof marks for mouse events.
  • Fix MediaSession icon for iheart.com not being displayed.
  • Fix the build with USEGSTREAMERGL disabled.
  • Fix the build with librice version 0.3.0 or newer.
  • Fix several crashes and rendering issues.
  • Translation updates: Georgian.

• Version 2.52.0:

  • Make scrolling with touch input smoother for small movements.
  • Fix estimated load progress of downloads when Content-Length value is wrong.
  • Ensure that "scrollend" events are correctly emitted after scroll animations.