Apple Fixes Safari WebKit Flaws and Xcode Root File-Read Vulnerability
Apple released Safari 26.4 and Xcode 26.4 security updates to address multiple vulnerabilities affecting macOS systems. The Safari update for macOS Sonoma and macOS Sequoia fixes seven CVE-tracked issues in WebKit and WebKit Sandboxing that could enable Content Security Policy and Same Origin Policy bypasses, cross-site scripting, process crashes, cross-origin access to script message handlers, improper processing of restricted web content, and user fingerprinting. Apple said the flaws were mitigated through improved state management, input validation, logic checks, memory handling, and authorization controls.
The Xcode 26.4 advisory covers two vulnerabilities on systems running macOS Tahoe 26.2 and later. Apple patched an out-of-bounds read in otool (CVE-2026-28890) that could let an app trigger an unexpected system termination, and a permissions flaw in Simulator (CVE-2026-28889) that could allow an app to read arbitrary files as root. Apple credited external researchers for the findings and made the updates available through the Mac App Store, developer download channels, and its security releases pages.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Apple releases Xcode 26.4 security update
Apple published advisory APPLE-SA-03-24-2026-10 for Xcode 26.4, addressing two vulnerabilities affecting systems running macOS Tahoe 26.2 and later. The fixes resolve an out-of-bounds read in otool (CVE-2026-28890) that could cause unexpected system termination and a Simulator permissions issue (CVE-2026-28889) that could let an app read arbitrary files as root.
Apple releases Safari 26.4 security update
Apple published advisory APPLE-SA-03-24-2026-9 for Safari 26.4, available through the Mac App Store for macOS Sonoma and macOS Sequoia. The update fixes seven WebKit and WebKit Sandboxing vulnerabilities, including issues that could enable CSP and Same Origin Policy bypasses, cross-site scripting, crashes, restricted content processing, and user fingerprinting.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


