Apple Safari Zero-Day CVE-2026-28847 Allows Remote Code Execution via Malicious Web Pages

Apple has released a security update to address CVE-2026-28847, a critical vulnerability in Safari that could allow remote attackers to execute arbitrary code on affected systems. The flaw, reported through the Zero Day Initiative as ZDI-26-313, carries a CVSS score of 8.8 and affects all versions of Safari prior to the patch.

The vulnerability resides in Safari's handling of regular expression duplicate named groups. Specifically, the software fails to properly validate the length of user-supplied data before copying it to a heap-based buffer, leading to a heap-based buffer overflow. An attacker can exploit this by convincing a user to visit a specially crafted web page or open a malicious file, triggering the overflow and gaining code execution in the context of the current process.

Given that Safari is the default browser on macOS and iOS devices, the potential impact is significant. Apple has issued an update to correct the vulnerability, with details available in their security advisory at https://support.apple.com/en-ca/127115. Users are strongly advised to apply the latest updates as soon as possible.

The vulnerability was reported to Apple on March 26, 2026, and the coordinated public release of the advisory occurred on May 12, 2026. The researcher who discovered the flaw chose to remain anonymous. Apple has not disclosed any evidence of active exploitation in the wild, but the high CVSS score and the ease of exploitation (requiring only user interaction to visit a malicious page) make it a prime target for attackers.

This is the latest in a series of browser vulnerabilities that have been patched by Apple in recent months. The company has been proactive in addressing security issues, but the complexity of modern web technologies continues to introduce new attack surfaces. Users should ensure that automatic updates are enabled and apply the latest Safari update immediately to mitigate the risk.