The vulnerability is an improper memory handling flaw in Safari that can be triggered by maliciously crafted web content. When processed, it causes the browser to crash unexpectedly, resulting in a denial‑of‑service condition for the affected user. The flaw does not provide an attacker with code execution or data exfiltration capabilities; its impact is confined to disrupting the normal operation of Safari.

Apple devices running iOS, iPadOS, macOS, tvOS, visionOS, and watchOS are affected. The Safari component on each of these operating systems is vulnerable until the updated release that includes the memory handling fix is installed. The fix is available in iOS 26.5, iPadOS 26.5, macOS (Tahoe) 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.

The CVSS score of 7.5 indicates a medium‑to‑high severity level. The EPSS score of < 1% indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, indicating no current evidence of active exploitation. However, the flaw can be exploited by directing a user to a crafted web page, which is a widely accessible attack vector. The impact is local and limited to causing an application crash; the attack vector is typically remote via web content. Given the high likelihood of denial‑of‑service for users who visit malicious sites before the update is applied, the risk should be treated as high for organizations that rely on Safari for critical or user-facing activities.