CVE-2026-28847
Description
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read in WebKit memory read in Apple OS versions before May 2026 can be triggered by malicious web content, causing a denial-of-service crash.
Root
Cause
CVE-2026-28847 is an out-of-bounds read vulnerability in WebKit's memory handling. Apple's advisories state that the issue was addressed with improved bounds checking [improved bounds checking] in Safari 26.5 and across all affected operating systems [1][2][3]. The flaw resides in how the browser engine code that processes web content.
Exploitation
An attacker can exploit the vulnerability by crafting a malicious webpage or other web content. When a victim visits the page using a vulnerable browser or WebKit-based app, the out-of-bounds read occurs. No additional authentication or user interaction beyond visiting the page is required, making the attack surface broad.
Impact
Successful exploitation leads to an unexpected process crash, resulting in a denial-of-service condition. The impact is limited to application termination; Apple's advisories do not indicate that arbitrary code execution is possible [1][2][3].
Mitigation
Apple released fixes on May 11, 2026, for iOS 18.7.9/iPadOS 18.7.9, iOS 26.5/iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5 [1][2][3][4]. Users should update to the latest available versions. No workarounds are documented.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: = 26.5
- Range: = 26.5
- Range: = 18.7.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- support.apple.com/en-us/127110nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127111nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127115nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127118nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127119nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127120nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127121nvdRelease NotesVendor Advisory
News mentions
1- ZDI-26-313: Apple Safari Regular Expression Duplicate Named Groups Heap-based Buffer Overflow Remote Code Execution VulnerabilityZero Day Initiative · May 12, 2026