CVE-2026-28962 Overview
CVE-2026-28962 is an access restriction vulnerability affecting Apple's web content processing across multiple operating systems. Processing maliciously crafted web content may disclose sensitive user information or cause an availability impact on the affected device. Apple addressed the issue with improved access restrictions in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, and visionOS 26.5. The flaw is categorized under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor) and requires no authentication or user interaction to exploit over the network.
Critical Impact
Remote attackers can serve crafted web content that bypasses access controls, leading to availability impact on affected Apple devices without requiring user credentials or interaction.
Affected Products
- Apple iOS and iPadOS (versions prior to 18.7.9 and 26.5)
- Apple macOS Tahoe (versions prior to 26.5) and Safari prior to 26.5
- Apple visionOS (versions prior to 26.5)
Discovery Timeline
- 2026-05-11 - CVE-2026-28962 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-28962
Vulnerability Analysis
The vulnerability resides in Apple's web content processing pipeline, used by Safari and any application that renders web content through the system's WebKit framework. An attacker who controls or compromises a website can serve crafted markup, scripts, or media that the renderer fails to properly restrict. The processing path lacks sufficient access control enforcement, allowing the malicious content to trigger conditions that impact device availability.
The issue is reachable from a low-complexity network attack with no privileges and no user interaction beyond visiting a page. Because WebKit underlies many embedded views across iOS, iPadOS, macOS, and visionOS, the attack surface extends beyond Safari to in-app browsers and message previews.
Root Cause
Apple's advisory states the issue was resolved with improved access restrictions, indicating that prior code paths in the web content processor permitted operations that should have been gated. The weakness aligns with [CWE-200], where insufficient enforcement allows untrusted content to reach resources or code paths that should be isolated from arbitrary web origins.
Attack Vector
Exploitation requires the victim to load attacker-controlled web content. This can occur through a direct visit to a malicious site, a malvertising chain on a legitimate site, an iframe embedded in third-party content, or a WebView inside a mobile application. Once the content is parsed, the access restriction failure is triggered without further interaction.
No verified public proof-of-concept code has been released for CVE-2026-28962. Apple's advisories at Apple Security Update 127110, Apple Security Update 127111, Apple Security Update 127115, and Apple Security Update 127120 describe the fix without disclosing exploitation specifics.
Detection Methods for CVE-2026-28962
Indicators of Compromise
- Safari or WebKit-based application crashes correlated with visits to untrusted domains.
- Unexpected restarts of com.apple.WebKit.WebContent processes on macOS endpoints.
- Mobile device management (MDM) telemetry showing devices running OS builds older than iOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, or visionOS 26.5.
Detection Strategies
- Inventory Apple endpoints and compare installed OS and Safari versions against the patched baselines published by Apple.
- Monitor browser process telemetry for repeated WebContent crashes that may indicate exploitation attempts or unstable pages.
- Correlate web proxy logs with crash events to identify domains serving content that triggers renderer failures.
Monitoring Recommendations
- Enable centralized logging from macOS endpoints for WebKit process termination events.
- Track DNS and proxy traffic to newly registered or low-reputation domains accessed from corporate Apple devices.
- Alert on MDM compliance drift when devices fall behind the patched OS versions.
How to Mitigate CVE-2026-28962
Immediate Actions Required
- Update all Apple devices to Safari 26.5, iOS 18.7.9 or 26.5, iPadOS 18.7.9 or 26.5, macOS Tahoe 26.5, and visionOS 26.5.
- Push updates through MDM with enforcement deadlines and verify installation through compliance reports.
- Restrict access to high-risk web categories on managed devices until patches are confirmed deployed.
Patch Information
Apple has published fixes in the following advisories: Apple Security Update 127110, Apple Security Update 127111, Apple Security Update 127115, Apple Security Update 127120, and Apple Security Update 127121. Each advisory lists the relevant OS build numbers and confirms the access restriction improvement that resolves CVE-2026-28962.
Workarounds
- Where immediate patching is not possible, configure web filtering to block untrusted and uncategorized domains for Apple endpoints.
- Disable JavaScript in Safari for high-risk user groups through Configuration Profiles until updates are applied.
- Limit the use of in-app WebViews on unpatched devices, particularly for applications that render external links.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
