CVE-2026-28905

CVE-2026-28905 is a vulnerability in Apple's memory handling that stems from an out-of-bounds read [1][2][3][4]. The issue was addressed with improved bounds checking to prevent reading beyond allocated memory buffers, which could lead to an unexpected process crash when processing maliciously crafted web content [1][2].

The flaw is triggered when a user opens maliciously crafted web content, such as visiting a compromised website. No authentication is required beyond normal user interaction, and the attacker can exploit the vulnerability remotely without special network access [1][2][3][4]. The vulnerable component is the web content rendering engine, affecting Safari and other apps that display web content across multiple Apple platforms.

Successful exploitation results in an unexpected process crash, constituting a denial-of-service (DoS) condition. According to the advisories, an app may be able to cause a denial-of-service due to the out-of-bounds read [1][2][3][4]. While out-of-bounds reads can sometimes lead to memory disclosure or code execution, the described impact is limited to a crash.

Apple has released patches for this vulnerability in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, and visionOS 26.5 [1][2][3][4]. Users are advised to update their devices to the latest software versions to mitigate the risk. No workarounds are provided.