Description
A stack overflow was addressed with improved input validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Published: 2026-06-29
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack overflow in Safari triggers when the browser processes maliciously crafted web content, causing an unexpected crash. The vulnerability is a classic stack buffer overflow (CWE‑120) that disrupts the target application by exhausting critical memory, but it does not provide code execution or data exfiltration capabilities. An attacker could force a tragic denial of service on the victim’s device by delivering specially designed page elements that exploit the overflow.

Affected Systems

The flaw affects Apple’s Safari web browser on iOS, iPadOS and macOS. The update that fixes the issue is available in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2 and macOS Tahoe 26.5.2. Devices running earlier releases are vulnerable if they have not applied the patch.

Risk and Exploitability

The known exploitability is limited to the delivery of malicious web content; no remote code execution or persistence is possible. Because the issue produces a crash, the likelihood of widespread exploitation is tempered by its narrow impact, but the lack of a publicly available exploit means it is not currently a high-PR threat. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that subversive exploitation is not yet observed. Nonetheless, attackers could leverage the crash to disrupt services, making timely patching advisable.

Generated by OpenCVE AI on June 29, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Safari, iOS, iPadOS, and macOS to at least version 26.5.2, which contains the fix for the stack overflow.
  • Enable automatic updates so that future patches are applied automatically and reduce the window of exposure.
  • If an update cannot be performed immediately, employ web‑content filtering or a trusted security gateway to block potentially malicious pages until the device is updated.

Generated by OpenCVE AI on June 29, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-121
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Stack Overflow in Safari Causes Crash via Malicious Web Content
Weaknesses CWE-120

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description A stack overflow was addressed with improved input validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-06-29T21:18:38.968Z

Reserved: 2026-05-01T22:46:21.645Z

Link: CVE-2026-43718

cve-icon Vulnrichment

Updated: 2026-06-29T21:18:33.232Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T21:45:04Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-121

    Stack-based Buffer Overflow