This Week in WebKit — April 11–17, 2026

The IPC handler that registers file-backed blob URLs validated the primary path against an allowlist, then accepted a replacementPath for transcoded files without checking it at all. A compromised WebContent process sends a legitimate path that passes the allowlist and a replacementPath pointing at any file the Network process can read. Fetch the resulting blob URL from JavaScript and the contents come back. No memory corruption needed — pure logic bug at the sandbox boundary.

After restoreParenContext reinstates a global frame range, every parenContextHead slot inside that range can point at a freed and free-list-recycled ParenContext. The earlier patch walked only the current term's inner disjunction, so siblings produced by +? expanding to FixedCount + isCopy were missed. A regex like ((c|b)*?(y|x)+?.){3}mp lines those sibling groups up inside the restored range, and JIT-compiled backtracking dereferences a recycled context on the next chain walk. The bug title claims instruction-pointer control on top of the UAF.

When PutByVal IC support for non-string primitive keys landed, the TransitionReallocatingOutOfLineHandler slot was wired to the inline allocation handler instead of the out-of-line one. The inline path zero-fills a freshly allocated butterfly without copying the IndexingHeader — which holds the byte-length metadata typed-array views rely on for bounds checks. Drop a resizable ArrayBuffer behind an Int8Array, assign to ta[undefined] in a hot loop, and the IC fires with a zeroed header. Subsequent indexed accesses run against corrupted bounds metadata on the array.

WebKit's CSP port-matching has a relaxation that treats default ports 80 and 443 as equivalent when an http→https upgrade fires. The gate on that relaxation only inspected the port value — the disjunct m_port == defaultInsecurePort had no scheme constraint at all. So script-src https://host:80 matched https://host:443, despite both sides being secure and the ports differing. The fix threads a SchemeMatchResult enum through so port matching knows whether an actual upgrade happened before relaxing.

ARM MTE catches use-after-free by mismatching pointer tags against memory tags, but compact pointers repurpose those upper bits for compression. CompactRefPtrTuple's destructor decremented the refcount but left the compressed pointer bits sitting in storage. An attacker who already has a UAF on an object containing one finds a valid-looking compressed pointer in the reclaimed slot — no tag mismatch, no MTE fault. The fix calls secureZeroBytes on the storage so the residue is wiped on destruction.