Description
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Published: 2026-05-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free bug in Safari’s memory handling can be triggered by maliciously crafted web content, causing the browser to crash unexpectedly and denying service. This flaw is a classic use‑after‑free vulnerability (CWE‑416) and has been corrected in the 26.5 updates for iOS, iPadOS, macOS, tvOS, visionOS, and watchOS.

Affected Systems

Apple’s Safari on all major platforms – iOS, iPadOS, macOS, tvOS, visionOS, and watchOS – is vulnerable. Devices running any version before 26.5 are affected; the 26.5 releases contain the required memory‑management fix.

Risk and Exploitability

The primary risk is a denial‑of‑service that crashes Safari when a user views carefully crafted content. The CVSS score of 8.8 indicates high severity, while the EPSS score of < 1% indicates a very low exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Because Safari is the default browser on every Apple device, widespread crashes can disrupt many users, though the CVE does not explicitly mention remote code execution. The attack vector is inferred to be through accessing malicious web pages or embedded web views.

Generated by OpenCVE AI on May 12, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest operating‑system updates that include Safari 26.5 to all affected devices.
  • If a device must remain on an older OS, restrict or block the execution of untrusted web content in Safari or disable automatic opening of external URLs until the update is applied.
  • After updating, monitor for rapid increases in Safari crash reports and investigate any patterns that may indicate targeted exploitation.

Generated by OpenCVE AI on May 12, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Safari Causing Unexpected Crash via Malicious Web Content

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in Safari Causing Unexpected Crash via Malicious Web Content
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos
Weaknesses CWE-416
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
References

Subscriptions

Apple Ios And Ipados Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-12T17:45:32.804Z

Reserved: 2026-03-03T16:36:03.990Z

Link: CVE-2026-28947

cve-icon Vulnrichment

Updated: 2026-05-12T17:45:27.206Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T21:18:55.863

Modified: 2026-05-12T18:16:48.597

Link: CVE-2026-28947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:30:05Z

Weaknesses