Urgent iOS WebKit patches pushed

Apple published iOS 26.4 and iPadOS 26.4 on March 24, 2026, and its security advisory lists CVE entries such as CVE‑2026‑28895 that describe fixes for memory‑management and parsing issues tied to web content processing. (support.apple.com)) Independent coverage tallies the release at roughly 36–38 patched vulnerabilities for iOS, with Forbes reporting 37 iOS fixes and SecurityWeek noting nearly 40 fixes across Apple platforms in the same update wave. (forbes.com)) SecurityWeek specifies the WebKit work in this release as eight patched WebKit bugs that could enable Same Origin Policy bypass, cross‑site scripting, fingerprinting, sandbox escape, or process crashes—items that change risk posture for any service rendering arbitrary web content. (securityweek.com)) Apple began pushing Lock Screen “Critical Software” alerts after the rollout to notify devices running older iOS versions about active web‑based attacks, a behavior documented by MacRumors and Forbes in late March 2026. (macrumors.com)) Suggested executive‑brief structure for this event: Slide 1 — one‑line summary with T0 = March 24, 2026 and CVE range 36–38; Slide 2 — scope (components: WebKit, Kernel, Siri, Messages) drawn from Apple advisory and third‑party analysis; Slide 3 — rollout status (percent patched at 24/72 hours, failed installs); Slide 4 — risk posture (active exploitation: none confirmed in public reporting); Slide 5 — asks and owners (MDM force‑push, QA gates, telemetry owners). (support.apple.com)) For leadership review cadence and asks, present two operational KPIs (percent of managed fleet patched within 24 hours and mean‑time‑to‑detect web‑exploit indicators measured from T0), set an initial executive target of >90% patch coverage for high‑risk cohorts within 72 hours, and enumerate the number of services that expose in‑app browsers or webviews with a named remediation owner and ETA.