Description
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Published: 2026-05-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apple’s web content rendering components contain a buffer overflow flaw (CWE‑119) that can be triggered by maliciously crafted pages. The vulnerability is addressed with improved memory handling in current releases. If an affected device processes such content before upgrading, the process may crash unexpectedly, leading to a denial of service. The flaw does not grant code execution or data compromise, so the primary impact is service interruption for the application or browser.

Affected Systems

Apple iOS, iPadOS, macOS (codename Tahoe), tvOS, and watchOS are affected in all builds prior to the 26.5 release. Devices running any version older than iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, or watchOS 26.5 are susceptible; updating to the 26.5 update for each platform removes the faulty memory handling logic.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a low probability of large‑scale exploitation. The flaw can nevertheless be triggered remotely by serving maliciously crafted web pages or web‑view content to an affected device, resulting in a process crash and denial of service. Although the CVSS score of 7.5 classifies the issue as high severity, the limited exploitability moderates the overall risk.

Generated by OpenCVE AI on May 13, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade devices to iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, or watchOS 26.5, which removes the faulty memory handling logic.
  • If an immediate upgrade is not feasible, block or sanitize suspicious web pages with network or application‑level filtering before they reach the device, reducing the opportunity for exploitation until the patch is applied.
  • Configure firewall or content filtering to block traffic to known malicious domains identified via reputable threat intelligence feeds until the patch is deployed.

Generated by OpenCVE AI on May 13, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Web Content Rendering Memory Crash on Apple Operating Systems

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Title Web Content Rendering Memory Crash on Apple Operating Systems

Tue, 12 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Tue, 12 May 2026 16:15:00 +0000

Type Values Removed Values Added
Title Unexpected Process Crash via Malformed Web Content
Weaknesses CWE-120
CWE-665

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 23:30:00 +0000

Type Values Removed Values Added
Title Unexpected Process Crash via Malformed Web Content
Weaknesses CWE-120
CWE-665

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple watchos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple watchos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Tvos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-13T19:58:51.941Z

Reserved: 2026-03-03T16:36:03.984Z

Link: CVE-2026-28913

cve-icon Vulnrichment

Updated: 2026-05-12T13:51:11.642Z

cve-icon NVD

Status : Modified

Published: 2026-05-11T21:18:53.803

Modified: 2026-05-13T21:16:43.070

Link: CVE-2026-28913

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:00:06Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer