CVE-2026-28904

Vulnerability

CVE-2026-28904 is an out-of-bounds read vulnerability in WebKit, the engine used by Safari and other applications across Apple's operating systems. The issue was addressed with improved bounds checking, as described in the security advisories for iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, and visionOS 26.5 [1][2][3]. The root cause is a failure to properly validate memory boundaries when processing certain web content, allowing an attacker to read memory beyond the intended buffer.

Exploitation

To exploit this vulnerability, an attacker needs to craft malicious web content and deliver it to the target user via a web page or email. No authentication or special network position is required; the victim only needs to view the malicious content using a vulnerable version of Safari or an app that uses WebKit, such as Mail or Messages. The attack surface includes all supported iPhone, iPad, Mac, Apple TV, Apple Watch, and Apple Vision Pro models running affected OS versions [1][2][3].

Impact

Successful exploitation leads to an unexpected process crash (denial-of-service). The impact is classified as a denial-of-service because the read can cause the browser or application using WebKit to terminate abnormally. The CVSS v3 severity is High (7.5), reflecting the low complexity and network attack vector. There is no indication of code execution or data exfiltration in the available references.

Mitigation

Apple has released patches for all affected platforms: Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5 [1][2][3][4]. Users are advised to update their devices to the latest OS versions immediately. No workarounds have been published.