Apple Safari Use-After-Free Vulnerability in Web Inspector Style Resolver Allows Remote Code Execution
Apple has patched CVE-2026-28955, a use-after-free vulnerability in Safari's Web Inspector WebCore style resolver that could allow remote code execution when a user visits a malicious page.
Apple has released a security update to address CVE-2026-28955, a use-after-free vulnerability in Safari's Web Inspector WebCore style resolver that could allow remote code execution in the browser process. The flaw, reported by researcher wac through the Zero Day Initiative (ZDI-26-312), affects all versions of Safari prior to the patch. Apple's advisory, available at support.apple.com, urges users to update immediately.
The vulnerability exists within the WebCore style resolver component of Web Inspector. The issue stems from the lack of validating the existence of an object before performing operations on it, leading to a use-after-free condition. An attacker can exploit this by convincing a user to visit a malicious webpage or open a specially crafted file. Successful exploitation allows the attacker to execute arbitrary code in the context of the browser process, potentially compromising the entire system.
The vulnerability carries a CVSS score of 7.5, with a vector of AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates high impact on confidentiality, integrity, and availability, though the attack complexity is high and user interaction is required. The flaw was responsibly disclosed to Apple on March 5, 2026, and the coordinated public advisory was released on May 12, 2026.
Use-after-free vulnerabilities are a common class of memory corruption bugs that occur when a program continues to use a pointer after the memory it points to has been freed. In web browsers, such flaws are particularly dangerous because they can be triggered by simply visiting a malicious website. This vulnerability in Safari's Web Inspector is especially concerning because Web Inspector is a core debugging tool that runs with elevated privileges within the browser.
Apple has not disclosed whether this vulnerability has been exploited in the wild, but given the high CVSS score and increasing interest in browser zero-days among threat actors, users should prioritize applying the security update. The patch is included in the latest Safari update, which can be installed through the Software Update mechanism on macOS or via the App Store on iOS devices.
This disclosure follows a pattern of increasing scrutiny on browser security, with multiple zero-day vulnerabilities being reported and patched across major browsers in recent months. The involvement of the Zero Day Initiative underscores the importance of coordinated vulnerability disclosure programs in helping vendors address critical flaws before they can be widely exploited.
Users are strongly advised to update their Safari browser to the latest version as soon as possible. Organizations should ensure that their device management policies enforce timely installation of security updates across all endpoints. Additionally, users should exercise caution when clicking on links or opening files from untrusted sources, as this vulnerability requires user interaction to be exploited.