This vulnerability allows an attacker to craft malicious web content that, when processed by the operating system’s web engine, can expose sensitive user information. The weakness stems from inadequate access restrictions, permitting sensitive data to be disclosed during normal content rendering. The security impact is primarily the compromise of confidentiality, potentially revealing personal or system data to the attacker. No remote code execution or denial of service functionality is disclosed in the description.

Vendors affected are Apple for iOS, iPadOS, macOS, and visionOS. Fixed versions include iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, and visionOS 26.5. Systems running earlier releases of any of these operating systems are susceptible.

The CVSS score is 7.5, indicating a high severity for information disclosure. The EPSS score is less than 1%, suggesting a low probability of exploitation, and the vulnerability is not listed in CISA KEV. The likely attack vector involves delivering maliciously formatted web content through a browser or web‑enabled application; this is inferred from the context of maliciously crafted web content. No explicit further exploitation conditions are listed, so the mere rendering of such content suffices to trigger the information disclosure.