CVE-2026-28947 Overview
CVE-2026-28947 is a use-after-free vulnerability [CWE-416] affecting Apple's WebKit-based browsing stack across multiple operating systems. Processing maliciously crafted web content can trigger an unexpected Safari crash and potentially enable arbitrary code execution in the renderer process. Apple addressed the flaw with improved memory management in Safari 26.5, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. The vulnerability is exploitable over the network and requires user interaction, such as visiting a malicious page.
Critical Impact
An attacker can crash Safari and potentially execute code in the browser process when a victim visits an attacker-controlled webpage.
Affected Products
- Apple iOS and iPadOS prior to 26.5
- Apple macOS Tahoe prior to 26.5 and Safari prior to 26.5
- Apple tvOS, visionOS, and watchOS prior to 26.5
Discovery Timeline
- 2026-05-11 - CVE-2026-28947 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-28947
Vulnerability Analysis
The flaw is a use-after-free condition in Apple's web content processing stack. Apple's advisories indicate the issue was addressed with improved memory management, which is consistent with a lifetime tracking error on a heap-allocated object. When Safari parses or renders specifically crafted web content, an object is freed while another code path retains a dangling reference. Subsequent dereference of that reference operates on memory that has been reclaimed or repurposed by the allocator.
The attack vector is network-based with low complexity and no privileges required, but user interaction is necessary. A typical exploitation path involves the victim navigating to a malicious site or loading attacker-controlled content embedded in a trusted page. Impacts to confidentiality, integrity, and availability are all high, reflecting the potential for renderer-level code execution rather than a simple crash.
Root Cause
The root cause is improper management of object lifetimes within Safari's content handling logic. The fix tightens ownership and release semantics so that references cannot outlive the underlying allocation. Apple has not published deeper technical detail beyond the advisory text.
Attack Vector
An attacker hosts crafted HTML, JavaScript, or media content on a page reachable by the victim. When the victim's Safari instance processes the content, the use-after-free triggers, leading to a crash or controlled corruption of process memory. Exploitation does not require credentials or local access.
No verified public proof-of-concept code is available for CVE-2026-28947. Refer to the Apple Support advisories for vendor-supplied technical context.
Detection Methods for CVE-2026-28947
Indicators of Compromise
- Unexpected Safari or WebContent process crashes recorded in macOS DiagnosticReports or iOS crash logs, particularly with EXC_BAD_ACCESS or heap corruption signatures.
- Outbound connections from Safari to recently registered or low-reputation domains immediately preceding a renderer crash.
- Repeated reloads of the same URL across multiple endpoints followed by abnormal child process termination.
Detection Strategies
- Inventory Apple endpoints and flag devices running Safari, iOS, iPadOS, macOS, tvOS, visionOS, or watchOS versions earlier than 26.5.
- Correlate browser crash telemetry with web proxy logs to identify URLs that consistently produce WebContent faults.
- Hunt for anomalous child processes spawned by Safari following a navigation event, which may indicate post-exploitation behavior.
Monitoring Recommendations
- Forward macOS unified logs and iOS device crash reports into a centralized logging pipeline for retrospective analysis.
- Monitor MDM compliance dashboards for OS versions and enforce remediation SLAs on devices that remain unpatched.
- Track DNS and HTTP egress from Safari processes to detect interaction with known-malicious infrastructure.
How to Mitigate CVE-2026-28947
Immediate Actions Required
- Update all Apple devices to Safari 26.5, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, or watchOS 26.5.
- Use mobile device management to push the updates and verify installation across the fleet.
- Instruct users to avoid untrusted links and to restart Safari after applying the update so older processes are not retained in memory.
Patch Information
Apple released fixes in the 26.5 update train. See the following advisories: Apple Support Document 127110, Apple Support Document 127115, Apple Support Document 127118, Apple Support Document 127119, Apple Support Document 127120, and Apple Support Document 127121.
Workarounds
- Where immediate patching is not possible, restrict Safari usage and direct users to a hardened, fully patched alternative browser.
- Enforce web filtering at the network edge to block access to known-malicious and newly registered domains.
- Disable JavaScript in Safari for high-risk users via configuration profiles until the update is deployed.
# Verify installed macOS and Safari versions before and after patching
sw_vers -productVersion
defaults read /Applications/Safari.app/Contents/Info.plist CFBundleShortVersionString
# Trigger MDM-managed software update on macOS
sudo softwareupdate --install --all --restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
