Description
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Published: 2026-05-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free bug in Safari’s memory handling can be triggered by maliciously crafted web content, causing an unexpected crash of the browser. Apple has addressed the issue in version 26.5 across Safari, iOS, iPadOS, macOS Tahoe, tvOS, visionOS, and watchOS. No code execution or privilege escalation has been reported; the primary impact is a denial of service that disrupts normal browsing activity.

Affected Systems

All Apple operating systems that run an earlier version than 26.5 are vulnerable. This includes iOS, iPadOS, macOS (Tahoe release), tvOS, visionOS, and watchOS. The fix is delivered in the 26.5 update for each platform.

Risk and Exploitability

Because the flaw merely causes a crash and no code execution has been demonstrated, the immediate risk to confidentiality or integrity is low. The CVSS score of 6.5 indicates moderate‑to‑high severity, but the EPSS score is less than 1%, and the vulnerability is not listed in CISA’s KEV catalog, reflecting a low likelihood of exploitation. The most probable attack vector is a malicious web page running inside Safari, which, when loaded, can trigger the use‑after‑free and crash the application.

Generated by OpenCVE AI on May 13, 2026 at 21:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest OS updates that contain the Safari fix (iOS 26.5, iPadOS 26.5, macOS 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5).
  • Deliberately avoid browsing untrusted or suspicious web sites until the update is applied, to reduce exposure to crafted content.
  • Ensure Safari is closed and restarted after any crash to prevent repeated crashes, and keep the browser updated as soon as the patch is available.

Generated by OpenCVE AI on May 13, 2026 at 21:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Title webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 14 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash. A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
References

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
Title Safari Crash via Use‑After‑Free Bug

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos

Mon, 11 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title Safari Crash via Use‑After‑Free Bug
Weaknesses CWE-416

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-13T19:58:44.539Z

Reserved: 2026-03-03T16:36:03.989Z

Link: CVE-2026-28942

cve-icon Vulnrichment

Updated: 2026-05-13T13:34:29.394Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T21:18:55.427

Modified: 2026-05-14T14:32:26.840

Link: CVE-2026-28942

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-28942 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:00:06Z

Weaknesses