This vulnerability is tied to the handling of memory in Apple’s web rendering engine. When Safari, iOS, iPadOS, or macOS receives maliciously crafted web content, the improved memory handling logic can be triggered in a way that causes an unexpected process crash. The crash does not directly expose code execution or data exfiltration, but it terminates the browser or web‑related process, disrupting user sessions and potentially rendering the device unusable until restarted. The nature of the weakness is consistent with improper memory management, such as a use‑after‑free or bad pointer dereference. The impact is limited to denial of service for the affected user or system.

Apple’s Safari browser, iOS, iPadOS, and macOS Tahoe are affected when they run versions prior to 26.5.2. Apple states that the issue is fixed in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2. No other Apple products or versions are mentioned.

The CVE lists no EPSS score and it is not catalogued in the CISA KEV list, suggesting that active exploitation is either not observed or not widespread at this time. With the known remediation, the risk is mitigated once the update is installed. Attackers would need a user or environment to load the malicious content; there are no indications of a network‑based or remote trigger. The crash is local to the browser or system process, so the attacker’s impact remains confined to denial of service on the infected device.