Description
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Published: 2026-01-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

An issue in Apple’s memory handling for Safari and several Apple operating systems can be triggered by maliciously crafted web content, causing an unexpected process crash. The vulnerability is a buffer overflow (CWE‑119), meaning that authorized code can overrun a memory boundary but does not provide an attacker with code‑execution privileges. The primary consequence is a denial‑of‑service outcome whereby the affected application or process terminates unexpectedly.

Affected Systems

Apple Safari, iOS, iPadOS, macOS, tvOS, visionOS, and watchOS running any version before 26.2 are impacted. The fix is included in Safari 26.2 and the 26.2 releases of iOS, iPadOS, macOS (Tahoe), tvOS, visionOS, and watchOS.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% reflects a very low probability that this vulnerability will be actively exploited in the wild. Because the flaw only results in a crash, it is not listed in CISA’s KEV catalog. The likely attack vector is the delivery of malicious web content through a browser or web‑enabled application, so any device connected to the Internet or that received possibly malicious web pages is at risk. Exploitation requires no special privileges beyond accessing the vulnerable application.

Generated by OpenCVE AI on April 22, 2026 at 20:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Safari to version 26.2 or later.
  • Upgrade iOS, iPadOS, macOS, tvOS, visionOS, and watchOS to the 26.2 releases or newer.
  • Restart the device to ensure the new software is fully active.

Generated by OpenCVE AI on April 22, 2026 at 20:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Memory Handling Issue in Apple Web Browsers and OSes Leading to Process Crash

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, watchOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.

Wed, 14 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple iphone Os
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple iphone Os

Mon, 12 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipados
Apple macos
Apple safari
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios
Apple ipados
Apple macos
Apple safari
Apple tvos
Apple visionos
Apple watchos

Fri, 09 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Subscriptions

Apple Ios Ipados Iphone Os Macos Safari Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:07:19.711Z

Reserved: 2025-04-22T21:13:49.960Z

Link: CVE-2025-46298

cve-icon Vulnrichment

Updated: 2026-01-12T15:34:45.863Z

cve-icon NVD

Status : Modified

Published: 2026-01-09T22:15:59.693

Modified: 2026-04-02T19:21:04.973

Link: CVE-2025-46298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:15:20Z

Weaknesses