Description
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Published: 2026-05-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves a memory corruption flaw triggered by maliciously crafted web content that can lead to a process crash. Apple has implemented improved memory handling to mitigate the issue, but devices running unpatched versions remain at risk. Because the crash results in a denial of service, it disrupts user sessions and overall system stability.

Affected Systems

Apple devices running older releases of Safari, iOS, iPadOS, macOS, tvOS, visionOS, and watchOS before the patched versions Safari 26.5, iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5 are affected. Updating to these patched OS releases and Safari removes the crash risk.

Risk and Exploitability

The CVSS score is 7.5, the EPSS score is < 1%, and the vulnerability is not listed in the KEV catalog. The attack likely involves delivering maliciously crafted web content that exploits the memory handling flaw to trigger a crash. Because the vulnerability can be triggered by crafted content, it poses a high reason for concern yet the EPSS indicates a low probability of exploitation.

Generated by OpenCVE AI on June 3, 2026 at 04:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all affected Apple devices and Safari to the newest releases: Safari 26.5, iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.
  • Monitor affected devices for unexpected crashes and review system logs for evidence of exploitation attempts.
  • Use web filtering or safe browsing tools to limit exposure to malicious web content on the devices.

Generated by OpenCVE AI on June 3, 2026 at 04:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 13 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Memory Corruption via Malicious Web Content Leading to Process Crash

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Tue, 12 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Memory Corruption via Malicious Web Content Leading to Process Crash

Tue, 12 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title Memory Corruption in Web Content Rendering Causing Unexpected Process Crash
First Time appeared Apple ipados
Apple iphone Os
Weaknesses CWE-787
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Memory Corruption in Web Content Rendering Causing Unexpected Process Crash
Weaknesses CWE-119
CWE-787

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-13T19:58:48.607Z

Reserved: 2026-03-03T16:36:03.984Z

Link: CVE-2026-28904

cve-icon Vulnrichment

Updated: 2026-05-12T13:16:58.366Z

cve-icon NVD

Status : Modified

Published: 2026-05-11T21:18:53.210

Modified: 2026-05-13T21:16:42.580

Link: CVE-2026-28904

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-28904 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:15:24Z

Weaknesses