CVE-2026-28847 Overview
CVE-2026-28847 is a memory handling vulnerability affecting Apple's WebKit-based browser engine across the company's operating system lineup. Processing maliciously crafted web content can trigger an unexpected process crash, resulting in a denial-of-service condition. Apple addressed the flaw through improved memory handling in Safari 26.5 and accompanying OS updates. The vulnerability is classified under [CWE-119], indicating improper restriction of operations within the bounds of a memory buffer. Exploitation requires user interaction, typically through visiting a malicious webpage. While the issue does not lead to information disclosure or code execution based on available data, the wide deployment of WebKit across Apple's ecosystem makes it relevant for organizations managing Apple fleets.
Critical Impact
Maliciously crafted web content can crash the affected process, disrupting browser functionality and any embedded WebKit instances across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS devices.
Affected Products
- Apple Safari prior to 26.5
- Apple iOS prior to 18.7.9 and iOS 26.5; iPadOS prior to 18.7.9 and iPadOS 26.5
- Apple macOS Tahoe prior to 26.5, tvOS prior to 26.5, visionOS prior to 26.5, watchOS prior to 26.5
Discovery Timeline
- 2026-05-11 - CVE-2026-28847 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-28847
Vulnerability Analysis
The vulnerability resides in Apple's WebKit rendering engine, which powers Safari and any application embedding web content on Apple platforms. When the engine processes crafted HTML, CSS, or JavaScript, a memory handling defect causes the renderer process to terminate unexpectedly. Apple's advisory describes the fix as "improved memory handling," indicating the original code path failed to correctly manage buffer boundaries or object lifetimes. The categorization under [CWE-119] places this issue in the broad family of buffer-bound restriction failures. Because no confidentiality or integrity impact is reported, exploitation appears limited to availability disruption rather than arbitrary code execution.
Root Cause
The defect involves improper memory handling within WebKit components responsible for parsing or rendering attacker-controlled web content. Specific function names and affected code paths are not disclosed in Apple's public advisory. The patch alters memory handling logic to prevent the conditions that trigger the crash.
Attack Vector
An attacker hosts crafted content on a webpage and lures a victim into visiting it through phishing, malvertising, or a compromised site. When the victim's browser renders the page, the WebKit process crashes. The attack requires user interaction and operates over the network. No authentication or privileges are needed on the target device. Embedded WebKit instances in third-party iOS and macOS applications are also exposed.
Detection Methods for CVE-2026-28847
Indicators of Compromise
- Repeated Safari or WebKit-based application crashes shortly after navigating to external links or rendering embedded web content
- Crash reports in ~/Library/Logs/DiagnosticReports/ on macOS referencing com.apple.WebKit.WebContent or related processes
- Browser tabs reloading or showing "A problem repeatedly occurred" messages tied to specific URLs
Detection Strategies
- Correlate endpoint crash telemetry with browsing history to identify URLs preceding WebKit process termination
- Inventory Apple devices against the fixed versions (Safari 26.5, iOS/iPadOS 18.7.9 or 26.5, macOS Tahoe 26.5, tvOS/visionOS/watchOS 26.5) to flag unpatched assets
- Inspect web proxy and DNS logs for connections to suspicious domains preceding browser crashes reported by users
Monitoring Recommendations
- Aggregate macOS and iOS crash logs into a central log platform and alert on spikes in WebKit content process terminations
- Monitor patch compliance dashboards to confirm rollout of the May 2026 Apple security updates across managed devices
- Track threat intelligence sources for emerging proof-of-concept content targeting WebKit memory handling
How to Mitigate CVE-2026-28847
Immediate Actions Required
- Deploy Apple's May 2026 security updates to all managed iOS, iPadOS, macOS, tvOS, visionOS, and watchOS devices through MDM or Software Update
- Upgrade Safari to version 26.5 on supported macOS releases that receive the browser independently of the OS update
- Notify users to avoid untrusted links and enable automatic updates on personal devices used for work
Patch Information
Apple released fixes in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. Refer to the official advisories: Apple Support Document #127110, Apple Support Document #127111, Apple Support Document #127115, Apple Support Document #127118, Apple Support Document #127119, Apple Support Document #127120, and Apple Support Document #127121.
Workarounds
- Restrict browsing to trusted sites until patches are applied, using content filtering at the network gateway
- Disable JavaScript in Safari preferences for high-risk users when feasible, accepting reduced site functionality
- Use MDM policies to enforce automatic OS updates and prevent users from deferring security patches
# Verify Safari version on macOS
defaults read /Applications/Safari.app/Contents/Info.plist CFBundleShortVersionString
# Check macOS version
sw_vers -productVersion
# Trigger software update check via CLI
sudo softwareupdate --list
sudo softwareupdate --install --all --restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
