Description
The issue was addressed with improved input validation. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Published: 2026-05-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper input validation (CWE‑20) that permits maliciously crafted web content to trigger an unexpected process crash when processed by Safari, iOS, iPadOS, macOS, tvOS, visionOS, or watchOS. The crash interrupts normal operation and results in a denial of service; it does not enable code execution or compromise data confidentiality.

Affected Systems

Affected devices include Apple iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The fix is delivered in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.

Risk and Exploitability

The CVSS score of 4.3, EPSS score of <1%, and the absence from CISA's KEV list indicate a moderate severity and low exploitation probability. The issue requires processing of maliciously crafted web content, which suggests the attack vector involves either local exposure of such content or remote delivery through web services on the device. While the vulnerability does not provide code execution, it can cause repeated crashes, creating a significant availability risk especially for services relying on uninterrupted web content processing. Since exploitation requires the presence of malformed content, the likelihood of attack remains moderate but the impact on affected systems is high for denial of service scenarios.

Generated by OpenCVE AI on May 13, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OS updates that include the fix for iOS, iPadOS, macOS, tvOS, visionOS, or watchOS.
  • Implement a web content filtering solution to block or sanitize malicious pages before they reach the device.
  • Adjust system or application settings to restrict or disable web components that handle untrusted input, such as disabling specific web engines or features if supported.

Generated by OpenCVE AI on May 13, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Malicious Web Content Can Trigger Unexpected Process Crashes via Improper Input Validation

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash. The issue was addressed with improved input validation. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Wed, 13 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Tue, 12 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Malicious Web Content Can Trigger Unexpected Process Crashes via Improper Input Validation

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-13T19:58:58.360Z

Reserved: 2026-03-03T16:36:03.985Z

Link: CVE-2026-28917

cve-icon Vulnrichment

Updated: 2026-05-12T18:11:31.640Z

cve-icon NVD

Status : Modified

Published: 2026-05-11T21:18:54.110

Modified: 2026-05-13T21:16:43.220

Link: CVE-2026-28917

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:00:06Z

Weaknesses
  • CWE-20

    Improper Input Validation