Description
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may result in the disclosure of process memory.
Published: 2026-06-29
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper memory handling when parsing maliciously crafted web content, which can lead to disclosure of process memory to an unauthenticated user. This issue reflects CWE-200 (Information Exposure), CWE-119 (Improper Handling of Buffer), and CWE-416 (Use After Free). An attacker can construct a web page that, once rendered by the browser or operating system, exposes sensitive data stored in memory, potentially including private credentials or other confidential information. This constitutes a confidentiality breach rooted in unprotected read access to process memory.

Affected Systems

Apple Safari, iOS, iPadOS, and macOS Tahoe are affected, with all versions prior to 26.5.2 vulnerable. The update to version 26.5.2 or later includes the fix that enhances memory safety for web content.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. EPSS is not available, and the vulnerability is not listed in KEV. The issue can still be exploited via client‑side web content presented to a user. The likely attack vector involves a user’s interaction with a compromised web page; this is inferred from the description that parsing malicious web content may disclose process memory. The exploitation does not require privileged access or complex setup. While the precision of risk assessment is limited, the potential impact of memory disclosure warrants prompt action.

Generated by OpenCVE AI on June 30, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Safari, iOS, iPadOS, and macOS to version 26.5.2 or later.
  • Enable automatic updates to ensure the fix is applied promptly.
  • Use web‑content filtering or restrict access to untrusted sites to reduce exposure to malicious pages.

Generated by OpenCVE AI on June 30, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Memory Disclosure via Improper Handling of Malicious Web Content in Apple Browsers and Operating Systems
Weaknesses CWE-200

Mon, 29 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Memory Disclosure via Improper Handling of Malicious Web Content in Apple Browsers and Operating Systems
Weaknesses CWE-119
CWE-200
CWE-416
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may result in the disclosure of process memory.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-06-29T21:47:32.518Z

Reserved: 2026-05-01T22:46:21.647Z

Link: CVE-2026-43740

cve-icon Vulnrichment

Updated: 2026-06-29T21:47:21.925Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T00:30:06Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-416

    Use After Free