CVE-2026-28903

Vulnerability

An out-of-bounds read vulnerability exists in WebKit's memory handling when processing maliciously crafted web content. The issue is present in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5 prior to the respective security updates. Apple's advisory notes that the bug was addressed with improved bounds checking [1][2][3].

Exploitation

An attacker can trigger the out-of-bounds read by convincing a user to open a specially crafted webpage. No additional authentication or network position beyond serving the malicious content is required; the attack is mediated through the user's browser. The crash occurs during the parsing or rendering of the webpage [1].

Impact

Successful exploitation results in an unexpected process crash, leading to a denial-of-service condition. The impact is limited to denial-of-service; the advisory does not indicate code execution or data exposure [1][2][3].

Mitigation

Apple released security updates on May 11, 2026 for Safari 26.5, iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. Users should update to the latest available versions to remediate the vulnerability [1][2][3]. No workarounds are documented.