Medium severity4.3NVD Advisory· Published Feb 11, 2026· Updated Apr 2, 2026

CVE-2026-20635

Description

The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. Processing maliciously crafted web content may lead to an unexpected process crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Processing malicious web content can cause unexpected process crash due to memory handling issue in multiple Apple products, patched in February 2026.

Vulnerability

Analysis

CVE-2026-20635 is a memory handling vulnerability in Apple's WebKit engine, affecting Safari and various operating systems including iOS, iPadOS, macOS Tahoe, tvOS, visionOS, and watchOS [1][2][3][4]. The root cause is improper memory management when processing maliciously crafted web content, potentially leading to memory corruption.

The attack vector is via web content; an attacker would need to entice a user to visit a specially crafted webpage. No additional privileges or physical access are required. The vulnerability can be triggered remotely through Safari or any application that uses WebKit [1][2][3][4].

Successful exploitation results in an unexpected process crash, causing a denial of service. The impact is limited to application termination; there is no indication of code execution or data exfiltration.

Apple addressed the issue in updates released on February 11, 2026: Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, and watchOS 26.3 [1][2][3][4]. Users are advised to update their devices to the latest software versions.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Safari
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
Range: <26.3
Apple Inc./Ipados
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
Range: <18.7.5
Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <18.7.5
Apple Inc./macOS
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Range: <26.3
Apple Inc./tvOS
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
Range: <26.3
Apple Inc./Visionos
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Range: <26.3
Apple Inc./watchOS
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Range: <26.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

support.apple.com/en-us/126346nvdRelease NotesVendor Advisory
support.apple.com/en-us/126347nvdRelease NotesVendor Advisory
support.apple.com/en-us/126348nvdRelease NotesVendor Advisory
support.apple.com/en-us/126351nvdRelease NotesVendor Advisory
support.apple.com/en-us/126352nvdRelease NotesVendor Advisory
support.apple.com/en-us/126353nvdRelease NotesVendor Advisory
support.apple.com/en-us/126354nvdRelease NotesVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000