CVE-2026-28955 Overview
CVE-2026-28955 is a memory handling vulnerability affecting multiple Apple operating systems and the Safari browser. Apple addressed the issue with improved memory handling in Safari 26.5, iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. Processing maliciously crafted web content may trigger an unexpected process crash. The flaw is categorized under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer) and is reachable remotely through the network without authentication or user interaction.
Critical Impact
Remote attackers can crash the Safari or WebKit-based process on unpatched Apple devices by serving maliciously crafted web content, disrupting browser availability across iPhone, iPad, Mac, Apple TV, Apple Watch, and Vision Pro.
Affected Products
- Apple iOS and iPadOS prior to 18.7.9 and 26.5
- Apple macOS Tahoe prior to 26.5, Safari prior to 26.5
- Apple tvOS, watchOS, and visionOS prior to 26.5
Discovery Timeline
- 2026-05-11 - CVE-2026-28955 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-28955
Vulnerability Analysis
The vulnerability resides in the memory handling logic of Apple's WebKit-based web content processing across Safari and the WebKit framework shipped with iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Apple's advisory states the issue was addressed with improved memory handling, indicating a memory safety defect mapped to [CWE-119]. When a victim browses to attacker-controlled content, the rendering process performs an unsafe memory operation that destabilizes the process. The result is an unexpected process crash, causing loss of availability for the affected browser or embedded WebView. The flaw does not, according to Apple, expose confidentiality or integrity properties—only availability is impacted.
Root Cause
The root cause is improper restriction of operations within the bounds of a memory buffer inside the web content parsing or rendering path. Apple's mitigation language—"improved memory handling"—indicates a code fix that constrains memory operations during processing of crafted DOM, script, or media content. The defect is triggered by content the browser parses, not by user privilege escalation.
Attack Vector
Exploitation requires only that a user load attacker-controlled web content in Safari or any application embedding WebKit. There is no authentication or user interaction requirement beyond visiting the page, which can be delivered through phishing links, malicious advertisements, compromised sites, or in-app web views. Successful exploitation crashes the rendering process, producing a denial-of-service condition. No public proof-of-concept or in-the-wild exploitation has been reported, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
// No verified public exploit code is available for CVE-2026-28955.
// Refer to Apple's security advisories for affected components and fix details.
Detection Methods for CVE-2026-28955
Indicators of Compromise
- Repeated com.apple.WebKit.WebContent or Safari renderer process crashes recorded in macOS unified logs or iOS crash reports following web browsing activity.
- Diagnostic reports under ~/Library/Logs/DiagnosticReports/ referencing WebKit memory faults such as EXC_BAD_ACCESS shortly after visiting untrusted URLs.
- Outbound network connections from managed endpoints to newly registered or low-reputation domains immediately preceding browser instability.
Detection Strategies
- Monitor endpoint telemetry for abnormal frequency of WebKit or Safari child process terminations correlated with specific URLs or referrers.
- Inspect web proxy and DNS logs for users visiting domains that consistently coincide with browser crash events across multiple devices.
- Apply MDM compliance checks to flag Apple devices running OS or Safari builds older than the fixed versions listed in Apple's advisories.
Monitoring Recommendations
- Aggregate crash reports from macOS and iOS fleets into a centralized SIEM or data lake to baseline normal WebKit crash rates and alert on spikes.
- Track installed OS and Safari versions through asset inventory and trigger alerts when devices fall behind the patched releases.
- Correlate browser crash events with URL categorization data to surface clusters indicative of targeted DoS attempts.
How to Mitigate CVE-2026-28955
Immediate Actions Required
- Update all Apple devices to iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5, and Safari 26.5 or later.
- Push the updates through MDM with enforced compliance deadlines to prevent users from deferring installation.
- Restrict access to untrusted websites at the network perimeter using URL filtering until all endpoints are patched.
Patch Information
Apple has released fixes across all affected platforms. Refer to the vendor advisories for full version details: Apple Support Document #127110, Apple Support Document #127111, Apple Support Document #127115, Apple Support Document #127118, Apple Support Document #127119, Apple Support Document #127120, and Apple Support Document #127121.
Workarounds
- Disable JavaScript in Safari for high-risk users via Configuration Profiles until patches are deployed, accepting the usability tradeoff.
- Route browser traffic through a secure web gateway that blocks known malicious domains and inspects content for anomalies.
- Educate users to avoid clicking unsolicited links and to report unexpected browser crashes to the security team for investigation.
# Verify the installed macOS and Safari versions on managed endpoints
sw_vers -productVersion
defaults read /Applications/Safari.app/Contents/Info.plist CFBundleShortVersionString
# Trigger MDM-managed software update on macOS
sudo softwareupdate -i -a -R
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
