CVE-2026-28955
Description
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Processing malicious web content causes out-of-bounds read leading to Safari/iOS process crash; patched in Apple's May 2026 updates.
Description
CVE-2026-28955 is a vulnerability in Apple's WebKit engine that allows remote attackers to cause an unexpected process crash by processing maliciously crafted web content. The root cause is an out-of-bounds read, which was addressed with improved bounds checking in the affected software versions [1][2][3].
Attack
Vector
Exploitation requires no user interaction beyond visiting a malicious website. The attacker does not need any special privileges or network position; the vulnerability is triggered automatically when the web content is processed by Safari or any other application using WebKit on affected Apple platforms.
Impact
Successful exploitation results in a denial-of-service (DoS) condition as the application crashes unexpectedly. The crash may cause the browser to terminate or the entire device to become temporarily unresponsive. There is no indication of code execution or data exfiltration based on the available information.
Mitigation
Apple has released patches in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. Users are advised to update to the latest versions to mitigate the vulnerability [1][2][3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=26.5
- Range: <=26.5
- Range: <=18.7.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- support.apple.com/en-us/127110nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127111nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127115nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127118nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127119nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127120nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127121nvd
News mentions
16- Hackers Earn $1.3 Million at Pwn2Own Berlin 2026SecurityWeek · May 18, 2026
- Windows 11 and Microsoft Edge hacked at Pwn2Own Berlin 2026BleepingComputer · May 14, 2026
- ZDI-26-313: Apple Safari Regular Expression Duplicate Named Groups Heap-based Buffer Overflow Remote Code Execution VulnerabilityZero Day Initiative · May 12, 2026
- ZDI-26-312: Apple Safari Web Inspector WebCore Style Resolver Use-After-Free Remote Code Execution VulnerabilityZero Day Initiative · May 12, 2026
- Apple Patches Everything, (Mon, May 11th)SANS Internet Storm Center · May 11, 2026
- Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code ExecutionUnit 42 · May 7, 2026
- Attackers Actively Exploiting Critical Vulnerability in Breeze Cache PluginWordfence Blog · May 5, 2026
- CloudZ RAT potentially steals OTP messages using Pheno pluginCisco Talos Intelligence · May 5, 2026
- Open-source privacy proxy masks PII before prompts reach external AI servicesHelp Net Security · May 1, 2026
- SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain AttackThe Hacker News · Apr 29, 2026
- Today's Odd Web Requests, (Wed, Apr 29th)SANS Internet Storm Center · Apr 29, 2026
- HTTP Requests with X-Vercel-Set-Bypass-Cookie Header, (Tue, Apr 28th)SANS Internet Storm Center · Apr 28, 2026
- Attackers Actively Exploiting Critical Vulnerability in Ninja Forms – File Upload PluginWordfence Blog · Apr 16, 2026
- 30th March – Threat Intelligence ReportCheck Point Research · Mar 30, 2026
- Risky Business #830 -- LiteLLM and security scanner supply chains compromisedRisky Business · Mar 25, 2026
- Siemens SIMATICCISA Alerts