Description
A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, macOS Tahoe 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Published: 2026-05-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free condition in Safari’s memory handling, triggered by maliciously crafted web content, can lead to an unexpected browser crash. The vulnerability arises from improper memory management that was addressed by recent updates. When exploited, the result is a denial of service to the user, potentially impacting any critical tasks that rely on Safari.

Affected Systems

Apple macOS users running Safari versions prior to Safari 26.5 (macOS Tahoe 26.5) are affected. Apple fixed the issue in Safari 26.5, macOS Tahoe 26.5, which include the updated memory handling code.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity, while the EPSS score remains below 1%, indicating a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a malicious website that a user must visit; exploitation requires user interaction and does not provide code execution. The resulting impact is limited to a browser crash and denial of service.

Generated by OpenCVE AI on May 13, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install macOS 26.5 or later to receive the Safari patch
  • Ensure the system’s Software Update feature is enabled so Safari is updated automatically
  • If immediate update is impossible, consider disabling or limiting JavaScript and third‑party plug‑ins, or use an alternative browser to reduce exposure to malicious content

Generated by OpenCVE AI on May 13, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free Crash in Safari via Malicious Web Content webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 13 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free Crash in Safari via Malicious Web Content

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Tahoe 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash. A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, macOS Tahoe 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
References

Wed, 13 May 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Tue, 12 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Safari Causing Crash with Malicious Web Content

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Safari Causing Crash with Malicious Web Content
First Time appeared Apple
Apple macos
Weaknesses CWE-416
Vendors & Products Apple
Apple macos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Tahoe 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-13T19:58:56.741Z

Reserved: 2026-03-03T16:36:03.989Z

Link: CVE-2026-28946

cve-icon Vulnrichment

Updated: 2026-05-12T17:46:53.427Z

cve-icon NVD

Status : Modified

Published: 2026-05-11T21:18:55.740

Modified: 2026-05-13T21:16:43.690

Link: CVE-2026-28946

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-02T00:00:00Z

Links: CVE-2026-28946 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T21:45:05Z

Weaknesses