Description
A flaw was found in WebKitGTK and WPE WebKit. This vulnerability allows an out-of-bounds read and integer underflow, leading to a UIProcess crash (DoS) via a crafted payload to the GLib remote inspector server.
Published: 2025-11-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A flaw in WebKitGTK and WPE WebKit permits an out‑of‑bounds read coupled with an integer underflow. The vulnerability is triggered by a crafted payload sent to an application’s GLib remote inspector server, causing the UIProcess to crash. The crash results in a denial‑of‑service condition for the affected application or system.

Affected Systems

This vulnerability affects several Red Hat Enterprise Linux releases, including RHEL 6, RHEL 7, RHEL 7 Extended Lifecycle Support, RHEL 8, RHEL 8.2 Advanced Update Support, RHEL 8.4 Advanced Mission Critical Update Support, RHEL 8.4 Extended Update Support Long‑Life Add‑On, RHEL 8.6 Advanced Mission Critical Update Support, RHEL 8.6 Telecommunications Update Service, RHEL 8.6 Update Services for SAP Solutions, RHEL 8.8 Telecommunications Update Service, RHEL 8.8 Update Services for SAP Solutions, RHEL 9, RHEL 9.0 Update Services for SAP Solutions, RHEL 9.2 Update Services for SAP Solutions, RHEL 9.4 Extended Update Support, RHEL 9.6 Extended Update Support and the WebKitGTK Team’s webkitgtk product. All these platforms deploy the WebKitGTK or WPE WebKit components that contain the vulnerability.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact rating, while the EPSS score of less than 1% suggests a very low probability of exploitation at the time of the analysis. The vulnerability is not listed in CISA’s KEV catalog. Attacks appear to be carried out by sending a malicious payload to the GLib remote inspector server, implying that the exploit requires either remote or local access to an application that exposes this server. The crash leads to service unavailability, potentially impacting downstream users.

Generated by OpenCVE AI on April 20, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Red Hat security update packages that fix WebKitGTK (e.g., RHSA‑2025:22789 and related errata).
  • Restart any services or applications that utilize WebKitGTK to force loading of the patched library.
  • If the GLib remote inspector is not required, disable it to eliminate the attack surface.

Generated by OpenCVE AI on April 20, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
References

Mon, 22 Dec 2025 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.8::appstream
cpe:/a:redhat:rhel_tus:8.6::appstream
cpe:/a:redhat:rhel_tus:8.8::appstream
Vendors & Products Redhat rhel Tus
References

Thu, 18 Dec 2025 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els
References

Thu, 18 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.4::appstream
References

Wed, 17 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.2::appstream
cpe:/a:redhat:rhel_e4s:9.0::appstream
References

Wed, 17 Dec 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
CPEs cpe:/a:redhat:rhel_e4s:9.2::appstream
Vendors & Products Redhat rhel E4s
References

Wed, 17 Dec 2025 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Eus Long Life
CPEs cpe:/a:redhat:rhel_aus:8.4::appstream
cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
Vendors & Products Redhat rhel Aus
Redhat rhel Eus Long Life
References

Thu, 11 Dec 2025 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.6::appstream
Vendors & Products Redhat rhel Eus
References

Mon, 08 Dec 2025 07:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:8::appstream
References

Mon, 08 Dec 2025 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
References

Tue, 25 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Nov 2025 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 25 Nov 2025 08:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in WebKitGTK and WPE WebKit. This vulnerability allows an out-of-bounds read and integer underflow, leading to a UIProcess crash (DoS) via a crafted payload to the GLib remote inspector server.
Title Webkit: webkitgtk / wpe webkit: out-of-bounds read and integer underflow vulnerability leading to dos
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-190
CPEs cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Eus Long Life Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-20T13:57:49.229Z

Reserved: 2025-11-21T07:48:53.245Z

Link: CVE-2025-13502

cve-icon Vulnrichment

Updated: 2025-11-25T14:40:24.497Z

cve-icon NVD

Status : Deferred

Published: 2025-11-25T08:15:51.917

Modified: 2026-04-20T16:16:40.110

Link: CVE-2025-13502

cve-icon Redhat

Severity : Important

Publid Date: 2025-11-25T07:59:40Z

Links: CVE-2025-13502 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:30:06Z

Weaknesses