CVE-2026-28859 Overview
CVE-2026-28859 is an Out-of-Bounds Read vulnerability affecting Apple's WebKit browser engine across multiple Apple platforms. The vulnerability stems from improper memory handling that allows a malicious website to process restricted web content outside the sandbox. This sandbox escape vulnerability could enable attackers to access data that should be isolated within the browser's security boundary.
Critical Impact
A malicious website may be able to process restricted web content outside the sandbox, potentially enabling access to sensitive data outside the browser's security context.
Affected Products
- Apple Safari prior to version 26.4
- Apple iOS and iPadOS prior to version 26.4
- Apple macOS Tahoe prior to version 26.4
- Apple tvOS prior to version 26.4
- Apple visionOS prior to version 26.4
- Apple watchOS prior to version 26.4
Discovery Timeline
- 2026-03-25 - CVE-2026-28859 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-28859
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read), indicating that the WebKit engine reads data from a memory location that is outside the intended buffer boundary. The flaw exists in how WebKit handles certain memory operations when processing web content. When exploited, the vulnerability allows malicious web content to escape the browser sandbox, which is designed to isolate web processes from the underlying operating system and other sensitive resources.
The attack requires user interaction—specifically, a user must visit a malicious website crafted to trigger the vulnerability. Once triggered, the attacker could potentially read restricted information that should be protected by the sandbox boundary, leading to information disclosure.
Root Cause
The root cause of CVE-2026-28859 lies in improper memory handling within WebKit's content processing routines. When certain web content is processed, the engine fails to properly validate memory boundaries, resulting in an out-of-bounds read condition. This memory safety issue was addressed by Apple through improved memory handling mechanisms in the patched versions.
Attack Vector
The attack vector for CVE-2026-28859 is network-based and requires user interaction. An attacker would need to:
- Host malicious content on a website or inject it into a compromised legitimate site
- Lure the victim to visit the malicious page using an affected Apple browser or WebKit-based application
- The malicious web content triggers the memory handling flaw
- The vulnerability allows the content to process data outside the sandbox restrictions
The vulnerability affects WebKit across all Apple platforms, meaning users of Safari, iOS, iPadOS, macOS, tvOS, visionOS, and watchOS are all potentially at risk until they update to the patched versions.
Detection Methods for CVE-2026-28859
Indicators of Compromise
- Unusual WebKit process behavior attempting to access resources outside normal sandbox boundaries
- Unexpected memory access patterns in Safari or WebKit-based applications
- Web browsing sessions exhibiting abnormal content processing activities
Detection Strategies
- Monitor for WebKit processes attempting to access files or memory regions outside their designated sandbox
- Implement endpoint detection rules for anomalous Safari or embedded browser behavior
- Deploy SentinelOne agents to detect exploitation attempts through behavioral analysis
Monitoring Recommendations
- Enable detailed logging for Safari and WebKit processes on enterprise-managed Apple devices
- Monitor network traffic for connections to known malicious domains that may host exploit code
- Review endpoint telemetry for signs of sandbox escape attempts on Apple platforms
How to Mitigate CVE-2026-28859
Immediate Actions Required
- Update all Apple devices to Safari 26.4, iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, or watchOS 26.4 immediately
- Enable automatic updates on all Apple devices to ensure timely patching
- Review Apple's security advisories for additional guidance and details
- Consider temporarily restricting browsing to trusted sites on unpatched devices
Patch Information
Apple has released security updates addressing this vulnerability across all affected platforms. The fix involves improved memory handling within WebKit to prevent the out-of-bounds read condition.
For detailed patch information, refer to the following Apple Security Advisories:
- Apple Security Advisory #126792
- Apple Security Advisory #126794
- Apple Security Advisory #126797
- Apple Security Advisory #126798
- Apple Security Advisory #126799
- Apple Security Advisory #126800
Workarounds
- Use alternative browsers that do not rely on WebKit for critical browsing activities until patching is complete
- Implement web content filtering to block access to untrusted or potentially malicious websites
- Deploy mobile device management (MDM) policies to restrict WebKit-based application usage on unpatched devices
# Verify Safari version on macOS
/Applications/Safari.app/Contents/MacOS/Safari --version
# Check for available macOS updates
softwareupdate --list
# Install all available security updates
softwareupdate --install --all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
