Description
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. Processing maliciously crafted web content may lead to an unexpected process crash.
Published: 2026-02-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unexpected process crash via malicious web content
Action: Deploy Patch
AI Analysis

Impact

Processing maliciously crafted web content can trigger a memory handling flaw in the WebKit component, causing an unexpected process crash. The vulnerability stems from improper buffer handling leading to both buffer over-read and buffer overrun (CWE-119 and CWE-120). An attacker does not gain code execution but can exploit this flaw to generate a denial‑of‑service on the affected system by sending crafted web pages that terminate the web rendering process.

Affected Systems

Apple devices that use Safari, iOS, iPadOS, macOS, tvOS, visionOS, and watchOS are impacted. The fix was introduced in Safari 26.3, iOS 18.7.5 and 26.3, iPadOS 18.7.5 and 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, and watchOS 26.3. All versions prior to these are susceptible to the crash.

Risk and Exploitability

CVSS score 4.3 indicates moderate severity. EPSS < 1% suggests low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog, meaning no publicly known active exploits. Nonetheless, the attack vector is likely through a user visiting a malicious webpage, leading to a process crash that may impair device stability. Because the flaw does not allow remote code execution, the risk is limited mainly to service disruption.

Generated by OpenCVE AI on April 15, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Safari to version 26.3 or later on all affected devices.
  • Apply the latest iOS, iPadOS, macOS, tvOS, visionOS, and watchOS updates that include the WebKit memory handling fix.
  • Until updates are applied, reduce exposure by limiting access to untrusted web content or configure device security policy to quarantine or block potentially malicious sites.

Generated by OpenCVE AI on April 15, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4528-1 webkit2gtk security update
Debian DSA Debian DSA DSA-6172-1 webkit2gtk security update
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3, Safari 26.3. Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. Processing maliciously crafted web content may lead to an unexpected process crash.

Fri, 20 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Thu, 12 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple safari
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple safari
Apple tvos
Apple visionos
Apple watchos

Wed, 11 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3, Safari 26.3. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Safari Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:22:11.635Z

Reserved: 2025-11-11T14:43:07.861Z

Link: CVE-2026-20635

cve-icon Vulnrichment

Updated: 2026-02-12T15:59:34.344Z

cve-icon NVD

Status : Modified

Published: 2026-02-11T23:16:06.723

Modified: 2026-04-02T19:21:13.800

Link: CVE-2026-20635

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-20635 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:00:09Z

Weaknesses