Full Disclosure mailing list archives
APPLE-SA-03-24-2026-9 Safari 26.4
From: Apple Product Security via Fulldisclosure
Date: Tue, 24 Mar 2026 17:04:55 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-03-24-2026-9 Safari 26.4 Safari 26.4 addresses the following issues. Information about the security content is also available at https://support.apple.com/126800 Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. WebKit Available for: macOS Sonoma and macOS Sequoia Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced Description: This issue was addressed through improved state management. WebKit Bugzilla: 304951 CVE-2026-20665: webb WebKit Available for: macOS Sonoma and macOS Sequoia Impact: Processing maliciously crafted web content may bypass Same Origin Policy Description: A cross-origin issue in the Navigation API was addressed with improved input validation. WebKit Bugzilla: 306050 CVE-2026-20643: Thomas Espach WebKit Available for: macOS Sonoma and macOS Sequoia Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack Description: A logic issue was addressed with improved checks. WebKit Bugzilla: 305859 CVE-2026-28871: @hamayanhamayan WebKit Available for: macOS Sonoma and macOS Sequoia Impact: Processing maliciously crafted web content may lead to an unexpected process crash Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 306136 CVE-2026-20664: Daniel Rhea, Söhnke Benedikt Fischedick (Tripton), Emrovsky & Switch, Yevhen Pervushyn WebKit Bugzilla: 307723 CVE-2026-28857: Narcis Oliveras Fontàs, Söhnke Benedikt Fischedick (Tripton), Daniel Rhea, Nathaniel Oh (@calysteon) WebKit Available for: macOS Sonoma and macOS Sequoia Impact: A malicious website may be able to access script message handlers intended for other origins Description: A logic issue was addressed with improved state management. WebKit Bugzilla: 307014 CVE-2026-28861: Hongze Wu and Shuaike Dong from Ant Group Infrastructure Security Team WebKit Available for: macOS Sonoma and macOS Sequoia Impact: A malicious website may be able to process restricted web content outside the sandbox Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 308248 CVE-2026-28859: greenbynox, Arni Hardarson WebKit Sandboxing Available for: macOS Sonoma and macOS Sequoia Impact: A maliciously crafted webpage may be able to fingerprint the user Description: An authorization issue was addressed with improved state management. WebKit Bugzilla: 306827 CVE-2026-20691: Gongyu Ma (@Mezone0) Additional recognition Safari We would like to acknowledge @RenwaX23, Bikesh Parajuli, Farras Givari, Syarif Muhammad Sajjad, Yair for their assistance. Web Extensions We would like to acknowledge Carlos Jeurissen, Rob Wu (robwu.nl) for their assistance. WebKit We would like to acknowledge Vamshi Paili for their assistance. WebKit Process Model We would like to acknowledge Joseph Semaan for their assistance. Safari 26.4 may be obtained from the Mac App Store. All information is also posted on the Apple Security Releases web site: https://support.apple.com/100100 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEhjkl+zMLNwFiCT1o4Ifiq8DH7PUFAmnDI3cACgkQ4Ifiq8DH 7PVxbhAAjKhMueqDcKyrInphYGj1a8Sop8rkiE/udJoWVtHMqalM9dRZ4xFdwgyC smpY8Zo3oGJpU52GAaXETErpRlreGc+SOjnEYiZBUphEgbYSDFsVS+n5+MJZPUq1 yNrpTl+UWrtQtAM8brKmhGGsalZpB23MgkhnpXe44iKEqfBui3KAOXBLcS/QX7Le hjQAJ7tTVuMQQR5FzQpEV0l3IOUfXtqTIc7MuNpBvZS39B3LOoECmyQ+Z3FXIFxR 1w+TKXURjPTF9Z5jGjONdTHMT2UCMfnE2ddXN5s+/sIfy9U0LZBx46YeX+OSbkkt +cSBKY/YIR+qmd/gQUy0taP5D1IPmhHpG35krvkG0/BCLoNeErXFoJ7xHrmRy+G2 FNpj1IevWYCx5oMw/3Nqd9iZ4fnORbPFvQhNwNYB2EUPsmVha6GZfN42YKir82SH jJi/OexQqcgTbiVdRj8IIYTGFeZWp+5ZBJTlRzq/nSJfOn92Y2mqEBPMkJRog0Qj 0HF5AyBBd2jDHxbHAn9C1xWnzDVQxtl4Hc/V8RFDrpBsRXLbonhtW3oPb6smY0de bqkch7wqyz9rSB1bcuHYlD8j2xUB8ssFT9A6+r0cpia+E2ZHyBXuw1NlBUgqTw3Z Ev3BI+dfPIL/EmJp2N9At0MEt4wIGUefuFlgAnINHj9DRroFktk= =5McV -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- APPLE-SA-03-24-2026-9 Safari 26.4 Apple Product Security via Fulldisclosure (Mar 28)
Facts Only
Apple released Safari 26.4 on March 24, 2026.
The update addresses security vulnerabilities in WebKit for macOS Sonoma and macOS Sequoia.
Vulnerabilities include bypassing Content Security Policy (CSP) and Same Origin Policy (SOP).
Issues also include cross-site scripting (XSS) attacks, process crashes, unauthorized access to script message handlers, and sandbox escapes.
Fixes involve improved state management, input validation, memory handling, and authorization checks.
CVE identifiers include CVE-2026-20665, CVE-2026-20643, CVE-2026-28871, CVE-2026-20664, CVE-2026-28857, CVE-2026-28861, CVE-2026-28859, and CVE-2026-20691.
Researchers credited include webb, Thomas Espach, @hamayanhamayan, Daniel Rhea, Söhnke Benedikt Fischedick, Emrovsky & Switch, Yevhen Pervushyn, Narcis Oliveras Fontàs, Nathaniel Oh, Hongze Wu, Shuaike Dong, greenbynox, Arni Hardarson, and Gongyu Ma.
Additional acknowledgments include @RenwaX23, Bikesh Parajuli, Farras Givari, Syarif Muhammad Sajjad, Yair, Carlos Jeurissen, Rob Wu, Vamshi Paili, and Joseph Semaan.
The update is available via the Mac App Store.
Security content details are posted on Apple’s support page.
Executive Summary
Apple has released Safari 26.4, addressing multiple security vulnerabilities in WebKit that affect macOS Sonoma and Sequoia. The update resolves issues such as bypassing Content Security Policy (CSP) and Same Origin Policy (SOP), cross-site scripting (XSS) attacks, unexpected process crashes, unauthorized access to script message handlers, and sandbox escapes. These vulnerabilities could allow malicious websites to execute arbitrary code, access sensitive data, or fingerprint users. The fixes involve improved state management, input validation, memory handling, and authorization checks. Apple acknowledges contributions from multiple security researchers, including those from Ant Group, Tripton, and independent researchers. The update is available via the Mac App Store, with detailed security content listed on Apple’s support page.
The vulnerabilities highlight ongoing challenges in web browser security, particularly in WebKit, which powers Safari and other browsers. While Apple has addressed these issues, the frequency and severity of such vulnerabilities underscore the importance of timely updates and robust security practices for users and developers alike.
Full Take
The strongest version of this narrative is that Apple is proactively addressing critical security vulnerabilities in Safari, demonstrating a commitment to user safety. The update fixes multiple high-risk issues, including bypasses of fundamental web security mechanisms like CSP and SOP, which could have allowed malicious actors to exploit users. The acknowledgment of numerous external researchers suggests a collaborative approach to security, reinforcing trust in Apple’s processes.
However, the pattern of recurring WebKit vulnerabilities raises questions about the underlying architecture and whether reactive patches are sufficient. The sheer number of CVEs and the diversity of researchers involved hint at a systemic challenge in web browser security. While Apple deserves credit for transparency and timely fixes, the frequency of such updates may normalize a cycle of vulnerability and patching, potentially desensitizing users to the risks.
Root cause: The narrative assumes that software complexity is inevitable and that security is a perpetual arms race rather than a solvable problem. This echoes historical patterns in tech, where convenience and feature expansion often outpace security considerations. The implications for human agency are significant—users are increasingly dependent on vendors to protect them, with little recourse if vulnerabilities are exploited before patches are applied.
Bridge questions: What structural changes in browser design could reduce the frequency of such vulnerabilities? How might users balance convenience with security in an era of constant updates? What incentives could encourage more proactive security measures rather than reactive fixes?
Counterstrike scan: A coordinated influence campaign might exaggerate the severity of these vulnerabilities to undermine trust in Apple or promote alternative browsers. However, the content here is factual and transparent, with no signs of manipulation. The focus on technical details and acknowledgments aligns with standard security disclosure practices, not an attack playbook.
Patterns detected: none
