VYPR
← All advisories
High severity7.5NVD Advisory· Published May 11, 2026· Updated May 13, 2026

CVE-2026-43658

CVE-2026-43658

Description

The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An out-of-bounds read in WebKit allows malicious web content to crash Safari, leading to denial-of-service.

CVE-2026-43658 is an out-of-bounds read vulnerability in WebKit, the browser engine underlying Safari. Apple addressed the issue by improving bounds checking [1][2][3][4].

An attacker can trigger the bug by convincing a user to process maliciously crafted web content, such as visiting a compromised website or opening a crafted email. No special privileges are required beyond the victim's browser rendering the content.

Successful exploitation causes an unexpected Safari crash, resulting in a denial-of-service condition. The impact is limited to application termination; no code execution or data exfiltration has been reported.

Apple has patched the vulnerability in Safari 26.5, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. Users are advised to update their devices to the latest software versions.

References
  1. About the security content of macOS Tahoe 26.5 - Apple Support
  2. About the security content of iOS 26.5 and iPadOS 26.5 - Apple Support
  3. About the security content of visionOS 26.5 - Apple Support
  4. About the security content of tvOS 26.5 - Apple Support

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

1