This Week in WebKit — March 21–27, 2026

WebGPU buffers must be mapped via an async GPU-side operation before CPU writes are legal, and the GPU process is supposed to enforce that independently of any JS-level guard the renderer chose to honour. RemoteBuffer set m_isMapped = true the instant mapAsync was called — long before the backing map actually completed. A compromised WebContent process could send mapAsync, immediately follow it with copy or copyWithCopy, and the write-state check would wave the operation through during the pending-map window. The fix splits the lifecycle with a m_pendingMap flag and defers the state transition into the success callback — but watch for the follow-up patch the same week, which had to fix a race the new flag introduced.

ES2025 duplicate-named capture groups added an indirection table that maps a subpattern ID to its shared group ID, and Yarr started using that table for backreference resolution. The miss: it routed numbered backreferences like \1 through the same indirection whenever any duplicate name existed in the pattern, even when the reference had no name to resolve. The misresolution can recurse, so the engine pushes a backtrack frame sized for one match path and rewinds expecting the size of another, walking the stack pointer past the BumpPointerAllocator slab into adjacent heap. Both the pattern structure and the input string are attacker-controlled, giving meaningful influence over the OOB direction and magnitude — and any web page can reach this with one RegExp.

Private Click Measurement is built on the premise that ad-attribution reports go through a privacy proxy that hides the user's IP from the receiving server. Apple's URL loading system only engages that proxy when a request carries a source-application identity and is classified as cross-site, and PCM's NSURLSessionConfiguration set neither — so every attribution report and fraud-token fetch went directly to the destination from the user's real IP. The fix plumbs the bundle identifier (or audit token) through, and forces third-party classification by fabricating a mainDocumentURL of not-<host> against the request's own host, then adds _setPrivacyProxyFailClosed:YES so a proxy outage fails rather than silently degrading to direct.

WebGLOpaqueTexture is a WebGLTexture whose deleteObjectImpl is intentionally a no-op, because the underlying GL texture name belongs to the cross-process swapchain handed in from the UIProcess XR compositor rather than to the GL context that uses it. That decoupling opens a window: if a script retains a JS reference to a sub-image texture after the swapchain releases the backing GL object, the wrapper still points at a freed name that the driver may recycle. Layered on top of that, releaseTexturesAtIndex indexes directly into the swapchain arrays using a value the UIProcess supplies in frame data, with bounds checks that aren't uniform across call sites — and the DMABuf/GBM cross-process image plumbing the commit itself calls incomplete.

The multimemory proposal lets a module declare more than one linear memory region, and the per-instruction memory index byte that WebKit used to reject as a reserved zero is now meaningful. BBQ, OMG, and IPInt all gain a fast path for memory 0 (which preserves the existing cached base/size registers) and a slow path that fetches base and bounds from the instance's memory table. memory.copy between two distinct memories is brand new code where source and destination can have different sizes, and the negative test cases that previously asserted non-zero indices were invalid were deleted without replacement positive coverage for grow_memory and current_memory.