Description
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.
Published: 2026-06-29
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Apple’s memory handling for web content processing can cause an unexpected crash of the Safari, iOS, iPadOS, or macOS Tahoe process. An attacker who serves specially crafted web pages could trigger this condition, resulting in a denial of service where the affected application or system becomes unavailable. No direct impact on confidentiality or integrity is described, and the vulnerability is limited to service disruption on the affected platform.

Affected Systems

The defect is present in Apple’s Safari browser, iOS, iPadOS, and macOS Tahoe before version 26.5.2. The fixes are incorporated in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2, which all contain improved memory handling for web content.

Risk and Exploitability

EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower publicly observed exploitation probability. However, a typical attack would involve a remote actor delivering malicious web content to a user’s browser, making the exploitation vector likely remote over HTTP(S). The CVSS score is not disclosed, but the impact of a crash indicates that the risk to availability is significant.

Generated by OpenCVE AI on June 29, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Safari to version 26.5.2 or later, or later iOS/iPadOS releases that include the memory handling fix.
  • If an immediate software update is not feasible, use web‑filtering or parental‑control solutions to block sites serving malicious content until the update is applied.
  • For macOS Tahoe users, consider upgrading to a newer macOS release that supersedes version 26.5.2 to maintain ongoing support and security patches.

Generated by OpenCVE AI on June 29, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-416
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Safari, iOS, iPadOS, and macOS Process Crash from Malicious Web Content
Weaknesses CWE-122
CWE-788

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-06-29T21:48:16.265Z

Reserved: 2026-05-01T22:46:21.639Z

Link: CVE-2026-43663

cve-icon Vulnrichment

Updated: 2026-06-29T21:48:08.808Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T21:30:03Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-122

    Heap-based Buffer Overflow

  • CWE-416

    Use After Free

  • CWE-788

    Access of Memory Location After End of Buffer