Description
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Published: 2026-05-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An Apple memory‑management use‑after‑free flaw is triggered when a device processes maliciously crafted web content, causing the target process to crash unexpectedly. This denial of service can terminate applications or services and disrupt user experience, but it does not allow code execution.

Affected Systems

All major Apple operating systems are impacted, including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Versions before the 26.5 update for each platform are vulnerable; the flaw is fixed in iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.

Risk and Exploitability

The CVSS score of 7.5 reflects a medium‑high severity, while the EPSS score of <1% indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker must deliver maliciously crafted web content to a vulnerable device, likely through a remote web server or local file loaded into a browser. Because the flaw results only in a crash, attackers cannot directly execute code, but the denial of service can impact user experience and business continuity.

Generated by OpenCVE AI on May 13, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OS update for iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.
  • Update all web‑rendering components, such as browsers and browser engines, to their latest patched versions.
  • Implement network‑level content filtering or web security gateways to block delivery of malicious web pages to vulnerable devices.

Generated by OpenCVE AI on May 13, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 13 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free Leading to Process Crash in Apple Operating Systems

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash. A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Tue, 12 May 2026 18:00:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free Leading to Process Crash in Apple Operating Systems

Tue, 12 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Tue, 12 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free Causing Process Crash in Apple Operating Systems
Weaknesses CWE-444

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free Causing Process Crash in Apple Operating Systems
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos
Weaknesses CWE-444
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-13T19:58:50.209Z

Reserved: 2026-03-03T16:36:03.975Z

Link: CVE-2026-28883

cve-icon Vulnrichment

Updated: 2026-05-12T13:36:43.843Z

cve-icon NVD

Status : Modified

Published: 2026-05-11T21:18:52.700

Modified: 2026-05-13T21:16:41.903

Link: CVE-2026-28883

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-28883 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:00:06Z

Weaknesses