Description
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Published: 2026-06-29
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from insecure memory handling during the processing of web content in Safari, iOS, iPadOS, and macOS. Maliciously crafted pages can trigger a crash, effectively denying service to the user. This flaw is consistent with memory corruption mechanisms such as buffer copy or use‑after‑free errors, which are categorized as CWEs related to unsanitized memory use.

Affected Systems

Apple publishes that Safari on macOS, the Safari browsers on iOS and iPadOS, and macOS Tahoe are affected. All versions prior to 26.5.2 are vulnerable. Users running Safari 26.5.1 or older, iOS 26.5.1 or older, iPadOS 26.5.1 or older, or macOS Tahoe 26.5.1 or older may experience crashes when rendering malicious web content.

Risk and Exploitability

The CVSS score of 6.5 and the EPSS metric is unavailable, so the precise exploitation probability is uncertain. However, the flaw can be exploited remotely by simply loading a crafted web page, allowing an attacker to target any visitor. The vulnerability is not listed in the CISA KEV catalog and no public exploit is known; the primary risk remains a denial‑of‑service through application crashes.

Generated by OpenCVE AI on June 30, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Safari, iOS, iPadOS, or macOS version 26.5.2 or later.
  • Configure managed devices to enable automatic software updates and enforce a regular update cadence.
  • Deploy network‑level web content filtering to block access to sites known to host malicious payloads until a patch is applied.

Generated by OpenCVE AI on June 30, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Safari, iOS, iPadOS, and macOS crash from insecure memory handling of malicious web content
Weaknesses CWE-120

Mon, 29 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Safari, iOS, iPadOS, and macOS crash from insecure memory handling of malicious web content
Weaknesses CWE-119
CWE-120
CWE-416
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-06-29T21:46:53.207Z

Reserved: 2026-05-01T22:46:21.644Z

Link: CVE-2026-43716

cve-icon Vulnrichment

Updated: 2026-06-29T21:46:47.233Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T00:30:06Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-416

    Use After Free