CVE-2026-20676

CWE-400 — Uncontrolled Resource Consumption CWE-20113 documents9 sources

Severity

5.3MEDIUM

EPSS

0.0%

top 89.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple IOS AND Ipados Apple Macos Apple Safari +3 more

Timeline

PublishedFeb 11

Latest updateMar 19

Description

This issue was addressed through improved state management. This issue is fixed in Safari 26.3, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A website may be able to track users through Safari web extensions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages11 packages

▶CVEListV5apple/safari< 26.3

▶NVDapple/safari< 26.3

▶CVEListV5apple/macos< 26.3

▶NVDapple/macos< 26.3

▶NVDapple/ipados< 26.3

🔴Vulnerability Details

GHSA

GHSA-cpw4-rfmm-h598: This issue was addressed through improved state management↗2026-02-12

▶

OSV

CVE-2026-20676: This issue was addressed through improved state management↗2026-02-11

▶

OSV

CVE-2026-20676: This issue was addressed through improved state management↗2026-02-11

▶

CVEList

CVE-2026-20676: This issue was addressed through improved state management↗2026-02-11

▶

📋Vendor Advisories

Red Hat

webkitgtk: A website may be able to track users through Safari web extensions↗2026-03-18

▶

Apple

CVE-2026-20676: Safari 26.3↗2026-02-11

▶

Apple

CVE-2026-20676: macOS Tahoe 26.3↗2026-02-11

▶

Apple

CVE-2026-20676: iOS 26.3 and iPadOS 26.3↗2026-02-11

▶

Apple

CVE-2026-20676: visionOS 26.3↗2026-02-11

▶

🕵️Threat Intelligence

Wiz

CVE-2026-20676 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-20676 webkitgtk: A website may be able to track users through Safari web extensions [fedora-all]↗2026-03-19

▶