Description
A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Tahoe 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Published: 2026-05-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free condition in Safari’s memory handling can be triggered by maliciously crafted web content, causing the browser to crash. This results in a denial of service to the user and may affect the stability of the system if Safari is required for critical tasks.

Affected Systems

Apple macOS users with Safari versions before macOS Tahoe 26.5 are vulnerable. Apple resolves the issue in macOS Tahoe 26.5, which includes the updated memory management code.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity, while the EPSS score remains below 1%, suggesting a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a malicious website that a user must visit; exploitation requires user interaction and does not provide code execution. The resulting impact is limited to a browser crash and denial of service.

Generated by OpenCVE AI on May 12, 2026 at 21:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install macOS 26.5 or later to receive the Safari patch
  • Ensure the system’s Software Update feature is enabled so Safari is updated automatically
  • If immediate update is impossible, consider disabling or limiting JavaScript and third‑party plug‑ins, or use an alternative browser to reduce exposure to malicious content

Generated by OpenCVE AI on May 12, 2026 at 21:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/127115 cve-icon cve-icon
History

Tue, 12 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Safari Causing Crash with Malicious Web Content

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Safari Causing Crash with Malicious Web Content
First Time appeared Apple
Apple macos
Weaknesses CWE-416
Vendors & Products Apple
Apple macos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Tahoe 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-12T17:46:56.201Z

Reserved: 2026-03-03T16:36:03.989Z

Link: CVE-2026-28946

cve-icon Vulnrichment

Updated: 2026-05-12T17:46:53.427Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T21:18:55.740

Modified: 2026-05-12T18:16:48.423

Link: CVE-2026-28946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:00:22Z

Weaknesses