CVE-2026-28902

Vulnerability

Description

CVE-2026-28902 is an out-of-bounds read vulnerability in WebKit, affecting multiple Apple operating systems. The issue arises from improper bounds checking when processing web content, leading to memory corruption. Apple addressed the flaw by improving memory handling and bounds checking in Safari 26.5 and corresponding OS updates [1][2][3][4].

Exploitation

An attacker can exploit this vulnerability by crafting malicious web content and luring a target user to load it. No special privileges are required; the victim only needs to visit a malicious website or open a crafted email. The bug can be triggered without user interaction beyond loading the content. Because it affects the core rendering engine, any application using WebKit, such as Safari, Mail, or third-party browsers, could be a vector.

Impact

Successful exploitation leads to an unexpected process crash, resulting in a denial-of-service condition. The impact is limited to application termination; however, repeated crashes could disrupt user workflows. Apple's advisories list the impact as "An app may be able to cause a denial-of-service" [1][2][3][4].

Mitigation

Apple released fixes on May 11, 2026, for macOS Tahoe 26.5, iOS 26.5, iPadOS 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. Users are advised to update their devices to the latest OS versions. No workarounds are provided, and the vulnerability is not known to be exploited in the wild as of the advisory date.