CVE-2026-28944

Vulnerability

Overview

CVE-2026-28944 is an out-of-bounds read vulnerability in WebKit, the browser engine used by Safari and other Apple applications. The issue was addressed with improved bounds checking, as described in Apple's security advisories for iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5, and Safari 26.5 [1][2][3][4]. The root cause is an out-of-bounds read, which can lead to unexpected behavior when processing specially crafted web content.

Exploitation

An attacker can exploit this vulnerability by luring a victim to visit a maliciously crafted webpage. No additional privileges or user interaction beyond browsing are required, as the attack vector is through web content. The vulnerability is present in WebKit, which is used by Safari and other applications that render web content on affected Apple platforms [1][2][3][4].

Impact

Successful exploitation could cause an unexpected process crash, leading to a denial-of-service condition. The impact is limited to application termination, and there is no indication of arbitrary code execution or data exfiltration from the available information [1][2][3][4].

Mitigation

Apple has released patches for this vulnerability in iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5, and Safari 26.5. Users are advised to update their devices to the latest available versions to mitigate the risk [1][2][3][4].