The WebKitGTK Project

WebKitGTK 2.53.2 released!

2026-05-06T00:00:00+00:00

This is a development release leading toward 2.54 series.

What’s new in the WebKitGTK 2.53.2 release?

Only use DMA-BUF mapping for writing to the GPU atlas when possible.
Do not resolve ‘-apple-system’ font to default system font.
Set real time limits when not using the portal.
Report support for supported non-AAC mp4a codecs.
Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

WebKitGTK 2.53.1 released!

2026-04-17T00:00:00+00:00

This is the first development release leading toward 2.54 series.

What’s new in the WebKitGTK 2.53.1 release?

Remove the option to use cairo for 2D rendering.
Implement GPU atlas creation and replay substitution for batched raster image uploads.
Improved non accelerated composited mode by using the same buffer sharing implementation as accelerated mode.
The on-demand hardware acceleration policy is now deprecated in GTK3 API.
Add new improved API for page favicons.
Add webkit_feature_list_find() to public API.
Support PGO features in regular CMake builds.
Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

WebKitGTK 2.52.3 released!

2026-04-16T00:00:00+00:00

This is a bug fix release in the stable 2.52 series.

What’s new in the WebKitGTK 2.52.3 release?

Add support for the “scrollbar-color” CSS property.
Fix some emoji glyphs being rendered as missing glyph boxes.
Fix JavaScriptCore crashes on architectures other than x86_64.
Fix the build on s390x.
Fix several crashes and rendering issues.
Translation updates: Serbian.

Thanks to all the contributors who made possible this release.

WebKitGTK 2.52.2 released!

2026-04-13T00:00:00+00:00

This is a bug fix release in the stable 2.52 series.

What’s new in the WebKitGTK 2.52.2 release?

Improve handling of real-time threads.
Fix scrollbar rendering glitches visible in some GPU configurations.
Fix V4L2 hardware accelerated media codecs now working due to overly restrictive sandbox device access rules.
Fix leak of bitmap images in webkit_favicon_database_get_favicon_finish().
Fix the build with USE_GTK4=OFF.
Partially fix the build in BSD and other non-Linux Unix systems.
Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.

WebKitGTK and WPE WebKit Security Advisory WSA-2026-0002

2026-03-28T00:00:00+00:00

Date Reported: March 28, 2026
Advisory ID: WSA-2026-0002
CVE identifiers: CVE-2026-20643, CVE-2026-20664, CVE-2026-20665, CVE-2026-20691, CVE-2026-28857, CVE-2026-28859, CVE-2026-28861, CVE-2026-28871

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

CVE-2026-20643
- Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
- Credit to Thomas Espach.
- Impact: Processing maliciously crafted web content may bypass Same Origin Policy. Description: A cross-origin issue in the Navigation API was addressed with improved input validation.
- WebKit Bugzilla: 306050
CVE-2026-20664
- Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
- Credit to Daniel Rhea, Söhnke Benedikt Fischedick (Tripton), Emrovsky & Switch, Yevhen Pervushyn.
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 306136
CVE-2026-20665
- Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
- Credit to webb.
- Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced. Description: This issue was addressed through improved state management.
- WebKit Bugzilla: 304951
CVE-2026-20691
- Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
- Credit to Gongyu Ma (@Mezone0).
- Impact: A maliciously crafted webpage may be able to fingerprint the user. Description: An authorization issue was addressed with improved state management.
- WebKit Bugzilla: 306827
CVE-2026-28857
- Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
- Credit to Narcis Oliveras Fontàs, Söhnke Benedikt Fischedick (Tripton), Daniel Rhea, Nathaniel Oh (@calysteon).
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 307723
CVE-2026-28859
- Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
- Credit to greenbynox, Arni Hardarson.
- Impact: A malicious website may be able to process restricted web content outside the sandbox. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 308248
CVE-2026-28861
- Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
- Credit to Hongze Wu and Shuaike Dong from Ant Group Infrastructure Security Team.
- Impact: A malicious website may be able to access script message handlers intended for other origins. Description: A logic issue was addressed with improved state management.
- WebKit Bugzilla: 307014
CVE-2026-28871
- Versions affected: WebKitGTK and WPE WebKit before 2.52.1.
- Credit to @hamayanhamayan.
- Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack. Description: A logic issue was addressed with improved checks.
- WebKit Bugzilla: 305859

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: webkitgtk.org/security.html or wpewebkit.org/security.

WebKitGTK 2.52.1 released!

2026-03-27T00:00:00+00:00

This is the first bug fix release in the stable 2.52 series.

What’s new in the WebKitGTK 2.52.1 release?

Reduce the amount of useless MPRIS notifications produced by MediaSesion when the information about media being played is incomplete.
Support turning off USE_GSTREAMER to configure the build with all multimedia features disabled.
Add Sysprof marks for mouse events.
Fix MediaSession icon for iheart.com not being displayed.
Fix the build with USE_GSTREAMER_GL disabled.
Fix the build with librice version 0.3.0 or newer.
Fix several crashes and rendering issues.
Translation updates: Georgian.

Thanks to all the contributors who made possible this release.

WebKitGTK 2.52.0 released!

2026-03-18T00:00:00+00:00

This is the first stable release in the 2.52 series.

Highlights of the WebKitGTK 2.52.0 release

Make text look like in other browsers by blending in linear color space.
Improved rendering performance by using a different tile size depending on whether GPU rendering is enabled or not.
Improved composition scheduling to avoid blocking waiting for tile painting.
Improved performance of accelerated 2D canvas by recording operations for batched replay.
Improved async scrolling when main thread is busy by avoiding locks and rendering the scrollbars from the scrolling thread.
Enabled dynamic MSAA for accelerated 2D canvas rendering.
Improved text rendering performance
Videos with BT2100-PQ colorspace are now tone-mapped to SDR, ensuring colours do not appear washed out.
Added support for the Audio Output Devices API.
Added API to handle WebXR permission requests.
Added API to query the immersive session status.
Added initial API for web extensions.

For more details about all the changes included in WebKitGTK 2.52 see the NEWS file that is included in the tarball.

Thanks to all the contributors who made possible this release.

WebKitGTK+ 2.52 highlights

2026-03-18T00:00:00+00:00

The WebKit team at Igalia is happy to announce a new release series of WebKitGTK. This is a summary of the most noteworthy changes from the latest release cycle.

libsoup 2 support has been removed

As it was announced in October last year, this is the first release series that only supports libsoup 3. Please take a look at the official annoucement for the details.

Graphics improvements

WebKitGTK graphics support has seen numerous improvements with a positive impact in rendering performance, resource usage, and better rendering. Let’s have a look at some of the most significant changes:

Compute the layers tile size, using a different strategy depending on whether GPU rendering is enabled. This optimizes resource usage depending on both hardware and software rendering mode.
WebKitGTK now uses run-loop observers to properly schedule layer flushing and composition, which results in snappier and better performing rendering and animation.
2D-canvas acceleration has now improved performance, as operations are recorded for batched replay.
Text rendering has better performance too.
In non-composite mode, it’s now also possible to use damage propagation.
Asynchronous scrolling has also seen performance improvements.

Additionally, many rendering issues have been fixed.

Multimedia improvements

WebRTC

When using GstWebRTC, WebRTC network access has been moved to the network process. This also requires librice, and building with the CMake USE_LIBRICE option. When this is enabled, it is still possible to choose the older libnice-based implementation at runtime by setting WEBKIT_GST_DISABLE_WEBRTC_NETWORK_SANDBOX=1 in the environment.

Having WebRTC network access in the network process is a security improvement, as it reduces the surface of attack in other more sensitive processes.

Other multimedia improvements

Videos with BT2100-PQ colorspace are now tone-mapped to SDR, ensuring colours do not appear washed out.
Support for the Audio Output Devices API, which allows Web content to enumerate audio devices and decide which one to use for output. This feature is disabled by default, and may be previewed using the ExposeSpeakers, ExposeSpeakersWithoutMicrophone, and PerElementSpeakerSelection feature flags.
Many code improvements to the GStreamer backend that will result in a more stable multimedia experience.

WebXR

WebXR support through OpenXR has seen substantial development this cycle:

New API has been added in order to support WebXR session permissions, querying whether a session is active and requesting to leave a session.
Support for WebXR Hand Input module has been added for ports using OpenXR.
Support for WebXR Hit Test Module is added with testable status, so it can be enabled at runtime (--features=+WebXRHitTestModule) or at build time passing -DENABLE_WEBXR_HIT_TEST=ON.

API Changes

An initial API to support Web Extensions has been added in this release cycle.

Web Standards support

As usual, this list is not exhaustive as WebKit continuously progresses in its support for new standards. Some of the highlights for this release are:

Largest Contentful Paint is now enabled.
Pointer and Touch Events now use more precise fractional coordinates.
The Fetch API now accepts local connections.
The Navigation API is now enabled.
The Event Timing API is now enabled.
The CSS random() function (in draft status) is now available.
CSS field-sizing is now available.
The Keyboard lock API is now available.
The Origin API is now available.
The Readable Byte Streams API is now available.
Enabled CSS grid-lanes (a.k.a. Masonry layout), part of CSS Grid Layout Module Level 3.

Other notes

The Flatpak-based development SDK has been removed. Developers are encouraged to use the WebKit Container SDK instead.

Building with Enchant 1.x is no longer supported, Enchant 2.x is now always used for spell-checking.

WebKitGTK and WPE WebKit Security Advisory WSA-2026-0001

2026-03-18T00:00:00+00:00

Date Reported: March 18, 2026
Advisory ID: WSA-2026-0001
CVE identifiers: CVE-2023-43010, CVE-2025-31223, CVE-2025-31277, CVE-2025-43213, CVE-2025-43214, CVE-2025-43433, CVE-2025-43438, CVE-2025-43441, CVE-2025-43457, CVE-2025-43511, CVE-2025-46299, CVE-2026-20608, CVE-2026-20635, CVE-2026-20636, CVE-2026-20644, CVE-2026-20652, CVE-2026-20676

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

CVE-2023-43010
- Versions affected: WebKitGTK and WPE WebKit before 2.44.0.
- Credit to Apple.
- Impact: Processing maliciously crafted web content may lead to memory corruption. This fix associated with the Coruna exploit was shipped in iOS 17.2 on December 11th, 2023. This update brings that fix to devices that cannot update to the latest iOS version. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 260913
CVE-2025-31223
- Versions affected: WebKitGTK and WPE WebKit before 2.50.0.
- Credit to Andreas Jaegersberger & Ro Achterberg of Nosebeard Labs.
- Impact: Processing maliciously crafted web content may lead to memory corruption. Description: The issue was addressed with improved checks.
- WebKit Bugzilla: 289387
CVE-2025-31277
- Versions affected: WebKitGTK and WPE WebKit before 2.50.0.
- Credit to Yuhao Hu, Yan Kang, Chenggang Wu, and Xiaojie Wei.
- Impact: Processing maliciously crafted web content may lead to memory corruption. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 291745
CVE-2025-43213
- Versions affected: WebKitGTK and WPE WebKit before 2.50.5.
- Credit to Google V8 Security Team.
- Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 292621
CVE-2025-43214
- Versions affected: WebKitGTK and WPE WebKit before 2.50.5.
- Credit to shandikri working with Trend Micro Zero Day Initiative, Google V8 Security Team.
- Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 292599
CVE-2025-43433
- Versions affected: WebKitGTK and WPE WebKit before 2.50.2.
- Credit to Google Big Sleep.
- Impact: Processing maliciously crafted web content may lead to memory corruption. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 298093
CVE-2025-43438
- Versions affected: WebKitGTK and WPE WebKit before 2.50.2.
- Credit to rheza (@ginggilBesel), shandikri working with Trend Micro Zero Day Initiative.
- Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash. Description: A use-after-free issue was addressed with improved memory management.
- WebKit Bugzilla: 297662
CVE-2025-43441
- Versions affected: WebKitGTK and WPE WebKit before 2.50.2.
- Credit to rheza (@ginggilBesel).
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 298496
CVE-2025-43457
- Versions affected: WebKitGTK and WPE WebKit before 2.50.6.
- Credit to Gary Kwong, Hossein Lotfi (@hosselot) of Trend Micro Zero Day Initiative.
- Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash. Description: A use-after-free issue was addressed with improved memory management.
- WebKit Bugzilla: 298606
CVE-2025-43511
- Versions affected: WebKitGTK and WPE WebKit before 2.50.5.
- Credit to 이동하 (Lee Dong Ha of BoB 14th).
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: A use-after-free issue was addressed with improved memory management.
- WebKit Bugzilla: 300926
CVE-2025-46299
- Versions affected: WebKitGTK and WPE WebKit before 2.52.0.
- Credit to Google Big Sleep.
- Impact: Processing maliciously crafted web content may disclose internal states of the app. Description: A memory initialization issue was addressed with improved memory handling.
- WebKit Bugzilla: 299518
CVE-2026-20608
- Versions affected: WebKitGTK and WPE WebKit before 2.50.6.
- Credit to HanQing from TSDubhe and Nan Wang (@eternalsakura13).
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: This issue was addressed through improved state management.
- WebKit Bugzilla: 303357
CVE-2026-20635
- Versions affected: WebKitGTK and WPE WebKit before 2.50.6.
- Credit to EntryHi.
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 304661
CVE-2026-20636
- Versions affected: WebKitGTK and WPE WebKit before 2.50.6.
- Credit to EntryHi.
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 304657
CVE-2026-20644
- Versions affected: WebKitGTK and WPE WebKit before 2.50.6.
- Credit to HanQing from TSDubhe and Nan Wang (@eternalsakura13).
- Impact: Processing maliciously crafted web content may lead to an unexpected process crash. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 303444
CVE-2026-20652
- Versions affected: WebKitGTK and WPE WebKit before 2.50.6.
- Credit to Nathaniel Oh (@calysteon).
- Impact: A remote attacker may be able to cause a denial-of-service. Description: The issue was addressed with improved memory handling.
- WebKit Bugzilla: 303959
CVE-2026-20676
- Versions affected: WebKitGTK and WPE WebKit before 2.50.6.
- Credit to Tom Van Goethem.
- Impact: A website may be able to track users through Safari web extensions. Description: This issue was addressed through improved state management.
- WebKit Bugzilla: 305020

Further information about WebKitGTK and WPE WebKit security advisories can be found at: webkitgtk.org/security.html or wpewebkit.org/security.

WebKitGTK 2.50.6 released!

2026-03-12T00:00:00+00:00

This is a bug fix release in the stable 2.50 series.

What’s new in the WebKitGTK 2.50.6 release?

Fix sample code included in the documentation of the webkit_user_content_manager_register_script_message_handler() function.
Fix MP4 muxing when using GStreamer 1.28.
Fix WebAudio not resuming correctly after using window.alert().
Fix WebAudio producing incorrect output in some cases due to incorrect sample buffer management.
Fix several crashes and rendering issues.

Thanks to all the contributors who made possible this release.