CVE-2026-28953

Vulnerability

CVE-2026-28953 is an out-of-bounds read vulnerability in Apple's WebKit engine, which was addressed with improved bounds checking [1][2]. The issue is triggered when processing maliciously crafted web content, leading to an unexpected process crash [1]. The root cause is an insufficient bounds check that allows reading memory beyond allocated buffers.

Impact

A remote attacker could leverage this vulnerability by crafting a malicious webpage that, when visited by a user on an unpatched device, would cause the application processing the content (most commonly Safari or any app that uses WebView) to crash. This denial-of-service condition could transiently disrupt a user's work or browsing session. An app may be able to cause a denial-of-service, as noted in the official advisory [1].

Mitigation

Apple has released patches in multiple operating systems as of May 11, 2026 [1][2][3][4]. The following versions contain the fix: Safari 26.5, iOS 18.7.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5 [1][2][3]. Users are strongly advised to update their devices to the latest available software version to mitigate this vulnerability.