A use‑after‑free issue was identified in Apple software that could be triggered by processing maliciously crafted web content, leading to memory corruption. The vulnerability stems from improper memory management after object deallocation and is classified as a use‑after‑free flaw, correlating with CWE‑416. Depending on the context, memory corruption could potentially enable an attacker to execute arbitrary code or compromise system integrity.

Apple products – Safari, iOS, iPadOS, and macOS – are affected by versions released before 26.5.2. The vulnerability is fixed in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2.

Because EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, a precise exploitation probability cannot be quantified. The impact is limited to memory corruption; however, if an attacker can inject or drive crafted content through the browser or embedded web views, local privilege or remote code execution could be possible. The likely attack vector involves visiting malicious web pages or loading infected web resources through Safari or system web components. The absence of a CVSS score means that organizations should treat the issue with caution and assess the risk based on the potential for arbitrary code execution in their environment.