Quick Brief
- Safari 26.3 patches 6 vulnerabilities including arbitrary file writing and history access flaws
- Update released February 11, 2026 for macOS Sonoma and macOS Sequoia exclusively
- WebKit received 5 separate fixes addressing denial-of-service and process crash risks
- CFNetwork vulnerability (CVE-2026-20660) allowed remote attackers to write arbitrary files
Apple released Safari 26.3 on February 11, 2026, addressing six security vulnerabilities that exposed macOS Sonoma and Sequoia users to privacy breaches and system crashes. The update arrives one day after the release, signaling Apple’s accelerated response to emerging threats. Safari history exposure and arbitrary file writing represented the most severe risks in this patch cycle.
Critical Vulnerabilities Addressed
CFNetwork Arbitrary File Writing Flaw
CVE-2026-20660 enabled remote users to write arbitrary files to affected systems through a path handling defect. Apple resolved this by implementing improved logic in CFNetwork’s file management processes. Security researcher Amy discovered this vulnerability, which carried significant implications for system integrity. The flaw could have allowed attackers to place malicious executables in critical system directories without user interaction.
Safari History Access Vulnerability
A logic issue in Safari (CVE-2026-20656) permitted applications to access users’ browsing history without authorization. Mickey Jin identified this privacy-compromising vulnerability that Apple fixed through improved validation mechanisms. This represents a critical breach of user privacy expectations, as browsing history contains sensitive information about user behavior, financial transactions, and personal research patterns.
WebKit Security Fixes
Denial-of-Service Vulnerabilities
WebKit received five separate patches targeting memory handling and state management issues. CVE-2026-20652, discovered by Nathaniel Oh, addressed a denial-of-service vulnerability triggered by remote attackers. The flaw exploited boundary errors when processing HTML content, causing browser crashes. Similar vulnerabilities (CVE-2026-20635, CVE-2026-20636, CVE-2026-20644) discovered by researchers EntryHi and the TSDubhe team followed identical attack patterns.
Process Crash and Tracking Risks
CVE-2026-20608 enabled maliciously crafted web content to trigger unexpected process crashes through poor state management. Tom Van Goethem identified CVE-2026-20676, which allowed websites to track users through Safari web extensions by exploiting state management weaknesses. Apple addressed both through improved state management protocols.
Affected Systems and Deployment
Safari 26.3 exclusively supports macOS Sonoma and macOS Sequoia. The update does not extend to iOS, iPadOS, or visionOS platforms, which receive security patches through their respective operating system updates. macOS Tahoe 26.3 received a parallel security update on the same date, addressing overlapping vulnerabilities including CVE-2026-20656.
Update Installation Process
macOS users receive Safari 26.3 through System Settings under Software Update. The update installs independently of full system updates, allowing faster deployment of browser security fixes. Apple recommends immediate installation for all macOS Sonoma and Sequoia users to mitigate active exploitation risks.
Context: Recent Safari Security Trends
Safari 26.2, released December 12, 2025, patched two zero-day vulnerabilities (CVE-2025-43529 and CVE-2025-14174) that Apple confirmed were exploited in sophisticated targeted attacks. Google Threat Analysis Group collaborated on discovering these WebKit use-after-free and memory corruption flaws. The rapid succession of critical security updates signals an escalating threat landscape for browser engines in early 2026.
Security Research Recognition
Apple acknowledged contributions from security researchers across multiple organizations. The TSDubhe team and Nan Wang (@eternalsakura13) received recognition for identifying multiple WebKit vulnerabilities. Independent researchers EntryHi, Mickey Jin, and Nathaniel Oh contributed critical vulnerability disclosures. Apple’s security response process includes coordination with researchers like David Wood, Luigino Camastra of Aisle Research, and Vsevolod Kokorin of Solidlab.
Vulnerability Impact Assessment
| CVE Identifier | Component | Impact | Severity |
|---|---|---|---|
| CVE-2026-20660 | CFNetwork | Arbitrary file writing | Critical |
| CVE-2026-20656 | Safari | History access | High |
| CVE-2026-20652 | WebKit | Denial-of-service | Medium |
| CVE-2026-20608 | WebKit | Process crash | Medium |
| CVE-2026-20676 | WebKit | User tracking | Medium |
| CVE-2026-20644/636/635 | WebKit | Process crash | Medium |
Apple’s Security Disclosure Policy
Apple maintains a policy of withholding security vulnerability details until investigations conclude and patches deploy. The company references vulnerabilities by CVE identifiers when available and publishes comprehensive documentation on its security releases page. This approach balances transparency with customer protection by preventing exploitation windows between disclosure and patching.
Frequently Asked Questions (FAQs)
How do I install Safari 26.3 on macOS?
Open System Settings on your Mac, navigate to General > Software Update, and click Update Now when Safari 26.3 appears. The update installs automatically without requiring a system restart.
Does Safari 26.3 work on older macOS versions?
No, Safari 26.3 exclusively supports macOS Sonoma and macOS Sequoia. Users on earlier macOS versions must upgrade their operating system to receive this security update.
What is the most severe vulnerability in Safari 26.3?
CVE-2026-20660 in CFNetwork represents the most critical risk, allowing remote attackers to write arbitrary files to your system without authorization through path handling exploitation.
Should I update Safari immediately?
Yes, Apple recommends immediate installation for all macOS Sonoma and Sequoia users. The vulnerabilities addressed include active privacy and security risks that could compromise browsing data.
Were any Safari 26.3 vulnerabilities exploited before patching?
Apple has not confirmed active exploitation of Safari 26.3 vulnerabilities. However, previous Safari versions (26.2) experienced confirmed zero-day exploitation in targeted attacks.
Does Safari 26.3 include new features?
Safari 26.3 is a security-focused update containing only vulnerability patches. No new features or functionality improvements were included in this release.
How often does Apple release Safari security updates?
Apple releases Safari security updates on an as-needed basis, typically within weeks of discovering critical vulnerabilities. Recent patterns show updates every 4-8 weeks during high-threat periods.
Can I verify which Safari version I’m running?
Open Safari, click Safari in the menu bar, select About Safari, and view your version number. Safari 26.3 displays as “Version 26.3” in this dialog.
