diff --git a/backport-CVE-2023-28204.patch b/backport-CVE-2023-28204.patch
new file mode 100644
index 0000000000000000000000000000000000000000..17d4a96324a0575a9eea8c21bf5ff3dea8194989
--- /dev/null
+++ b/backport-CVE-2023-28204.patch
@@ -0,0 +1,102 @@
+From e34edaa74575ee13efcebdb7672b949a743ab32a Mon Sep 17 00:00:00 2001
+From: Michael Saboff <msaboff@apple.com>
+Date: Mon, 3 Apr 2023 20:25:08 -0700
+Subject: [PATCH] [JSC] RegExpGlobalData::performMatch issue leading to OOB
+ read https://bugs.webkit.org/show_bug.cgi?id=254930 rdar://107436732
+
+Reviewed by Alexey Shvayka.
+
+Fixed two issues:
+1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP
+   characters.  Since it is an assertion, we shouldn't advance the character position.
+   Made the same fix to matchAssertionEOL().
+2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of
+   a non-BMP character for the case where the RegExp match is empty.
+
+* JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test.
+* Source/JavaScriptCore/runtime/StringPrototype.cpp:
+(JSC::replaceUsingRegExpSearch):
+* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
+(JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance):
+(JSC::Yarr::Interpreter::matchAssertionBOL):
+(JSC::Yarr::Interpreter::matchAssertionEOL):
+
+Canonical link: https://commits.webkit.org/259548.551@safari-7615-branch
+---
+ .../runtime/StringPrototype.cpp               | 10 ++++++++++
+ .../JavaScriptCore/yarr/YarrInterpreter.cpp   | 19 +++++++++++++++++--
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp
+index 08104b1d..459295f7 100644
+--- a/Source/JavaScriptCore/runtime/StringPrototype.cpp
++++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp
+@@ -603,6 +603,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
+                 startPosition++;
+                 if (startPosition > sourceLen)
+                     break;
++                if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
++                    startPosition++;
++                    if (startPosition > sourceLen)
++                        break;
++                }
+             }
+         }
+     } else {
+@@ -682,6 +687,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
+                 startPosition++;
+                 if (startPosition > sourceLen)
+                     break;
++                if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
++                    startPosition++;
++                    if (startPosition > sourceLen)
++                        break;
++                }
+             }
+         } while (global);
+     }
+diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
+index 95a848a1..d222e620 100644
+--- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
++++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
+@@ -209,6 +209,21 @@ public:
+             }
+             return result;
+         }
++
++	int readCheckedDontAdvance(unsigned negativePositionOffest)
++        {
++            RELEASE_ASSERT(pos >= negativePositionOffest);
++            unsigned p = pos - negativePositionOffest;
++            ASSERT(p < length);
++            int result = input[p];
++            if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
++                if (atEnd())
++                    return -1;
++
++                result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
++            }
++            return result;
++        }
+         
+         int readSurrogatePairChecked(unsigned negativePositionOffset)
+         {
+@@ -482,13 +497,13 @@ public:
+ 
+     bool matchAssertionBOL(ByteTerm& term)
+     {
+-        return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition + 1)));
++        return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition + 1)));
+     }
+ 
+     bool matchAssertionEOL(ByteTerm& term)
+     {
+         if (term.inputPosition)
+-            return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition)));
++            return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition)));
+ 
+         return (input.atEnd()) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.read()));
+     }
+-- 
+2.33.0
+
diff --git a/backport-CVE-2023-32373.patch b/backport-CVE-2023-32373.patch
new file mode 100644
index 0000000000000000000000000000000000000000..83d6bdd7ddaf64ce0d5d22f7979ece4cfff4f5a5
--- /dev/null
+++ b/backport-CVE-2023-32373.patch
@@ -0,0 +1,36 @@
+From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001
+From: Antoine Quint <graouts@webkit.org>
+Date: Mon, 22 May 2023 13:37:32 -0700
+Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles
+ https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873
+
+Reviewed by Dean Jackson and Darin Adler.
+
+Ensure that the animation's effect and target are kept alive for the duration of this method
+since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus
+these two pointers could be changed to a null value using the Web Animations API.
+
+* Source/WebCore/animation/WebAnimation.cpp:
+(WebCore::WebAnimation::commitStyles):
+
+Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873
+Canonical link: https://commits.webkit.org/264363@main
+---
+ Source/WebCore/animation/WebAnimation.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp
+index 68ea47985807..ae20c79c36cf 100644
+--- a/Source/WebCore/animation/WebAnimation.cpp
++++ b/Source/WebCore/animation/WebAnimation.cpp
+@@ -1531,8 +1531,8 @@ ExceptionOr<void> WebAnimation::commitStyles()
+     // https://drafts.csswg.org/web-animations-1/#commit-computed-styles
+ 
+     // 1. Let targets be the set of all effect targets for animation effects associated with animation.
+-    auto* effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
+-    auto* target = effect ? effect->target() : nullptr;
++    RefPtr effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
++    RefPtr target = effect ? effect->target() : nullptr;
+ 
+     // 2. For each target in targets:
+     //
diff --git a/backport-CVE-2023-32409.patch b/backport-CVE-2023-32409.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f7847246daa656bb6ec8ab013bbda926d959f0e6
--- /dev/null
+++ b/backport-CVE-2023-32409.patch
@@ -0,0 +1,32 @@
+From 54408f5746f2401721bd56d71de132a22b6f9856 Mon Sep 17 00:00:00 2001
+From: Mike Wyrzykowski <mwyrzykowski@apple.com>
+Date: Wed, 12 Apr 2023 17:30:56 -0700
+Subject: [PATCH] [WebGPU] RemoteBuffer unmap should check the input vector
+ https://bugs.webkit.org/show_bug.cgi?id=255350 <rdar://107947502>
+
+Reviewed by Myles C. Maxfield.
+
+Ensure data vector passed to unmap is valid for the currently
+mapped buffer.
+
+* Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp:
+(WebKit::RemoteBuffer::unmap):
+
+Canonical link: https://commits.webkit.org/262895@main
+---
+ Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp b/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp
+index f533f5c30c32b..ec12ea2ac171b 100644
+--- a/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp
++++ b/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp
+@@ -79,7 +79,7 @@ void RemoteBuffer::getMappedRange(PAL::WebGPU::Size64 offset, std::optional<PAL:
+ 
+ void RemoteBuffer::unmap(Vector<uint8_t>&& data)
+ {
+-    if (!m_mappedRange)
++    if (!m_mappedRange || m_mappedRange->byteLength < data.size())
+         return;
+     ASSERT(m_isMapped);
+
diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec
index 289bf8102fae11e49333ac08b2e2ec74dc0fe6e2..dc60c28dbf2724fff2afca906866bbefb2875c0f 100644
--- a/webkit2gtk3.spec
+++ b/webkit2gtk3.spec
@@ -9,7 +9,7 @@
 #Basic Information
 Name:           webkit2gtk3
 Version:        2.36.3
-Release:        3
+Release:        4
 Summary:        GTK+ Web content engine library
 License:        LGPLv2
 URL:            https://www.webkitgtk.org/
@@ -27,6 +27,10 @@ Patch0001:      0001-webkitgtk-add-loongarch.patch
 Patch0002:      webkitgtk-2.32.1-sw.patch
 %endif
 
+Patch6000:      backport-CVE-2023-28204.patch
+Patch6001:      backport-CVE-2023-32373.patch
+Patch6002:      backport-CVE-2023-32409.patch
+
 #Dependency
 BuildRequires:  at-spi2-core-devel bison cairo-devel cmake enchant2-devel
 BuildRequires:  flex fontconfig-devel freetype-devel ninja-build
@@ -215,6 +219,9 @@ done
 %endif
 
 %changelog
+* Mon May 29 2023 zhangpan<zhangpan103@h-partners.com> - 2.36.3-4
+- fix CVE-2023-28204 CVE-2023-32373 CVE-2023-32409
+
 * Tue Nov 29 2022 wuzx<wuzx1226@qq.com> - 2.36.3-3
 - Add sw64 architecture