CVE-2026-28971 Overview
CVE-2026-28971 is a user interface spoofing vulnerability affecting multiple Apple operating systems and the Safari browser. A malicious iframe can use another website's download settings, allowing attackers to abuse a victim site's trust context during file downloads. The flaw is categorized under CWE-1021 (Improper Restriction of Rendered UI Layers or Frames). Apple addressed the issue with improved UI handling in Safari 26.5, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, and visionOS 26.5.
Critical Impact
A malicious iframe can inherit another website's download settings, enabling silent or user-trusted file downloads that may facilitate phishing or malware delivery campaigns.
Affected Products
- Apple iPadOS (versions prior to 26.5)
- Apple iOS (iPhone OS, versions prior to 26.5) and Safari (prior to 26.5)
- Apple macOS Tahoe (prior to 26.5) and Apple visionOS (prior to 26.5)
Discovery Timeline
- 2026-05-11 - CVE-2026-28971 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-28971
Vulnerability Analysis
The vulnerability resides in how WebKit and Safari handle download configuration boundaries between a parent document and embedded iframes. When a page embeds a third-party iframe, the iframe can leverage the parent site's download settings rather than its own origin's settings. This breaks the same-origin trust model that users rely on when interpreting download prompts.
A visitor on a trusted site may receive a download initiated by an embedded malicious iframe, but the download dialog or behavior reflects the parent site's permissions. The flaw enables user interface confusion, as the user attributes the download to the legitimate site they intentionally visited.
Exploitation requires user interaction, such as clicking a link or confirming a prompt, and is limited to confidentiality impact on the targeted browser session. The issue does not provide code execution or persistent compromise on the device.
Root Cause
The root cause is improper restriction of rendered UI layers between iframe contexts and their host document. Safari and WebKit did not enforce that download policy decisions originate from the iframe's own origin. Apple's fix introduces improved UI handling so download settings are correctly scoped to the originating frame.
Attack Vector
An attacker hosts malicious content inside an iframe embedded on a trusted website, either through compromise, ad networks, or sites that allow third-party embeds. When a user interacts with the iframe content, the attacker triggers a download that inherits the parent website's download settings. The victim sees a download experience consistent with the trusted site and is more likely to accept the file.
No verified public exploit code is available for this vulnerability. Technical details are described in the Apple Support Advisory #127121.
Detection Methods for CVE-2026-28971
Indicators of Compromise
- Unexpected file downloads on Apple endpoints that originate from iframe-heavy domains such as ad networks or embedded widget hosts.
- Browser download history entries that reference a parent domain but deliver content from an unrelated third-party origin.
- Newly downloaded executables, disk images, or archives on iOS, iPadOS, macOS, or visionOS devices running versions prior to 26.5.
Detection Strategies
- Inventory Apple endpoints and identify devices running Safari, iOS, iPadOS, macOS, or visionOS versions earlier than 26.5.
- Correlate web proxy logs with endpoint download events to identify mismatches between the visited parent domain and the actual download origin.
- Hunt for downloads of suspicious file types (.dmg, .pkg, .zip, .iso) following visits to pages known to embed third-party iframes.
Monitoring Recommendations
- Monitor Mobile Device Management (MDM) compliance reporting for Apple OS version drift below the 26.5 patched baseline.
- Enable web proxy or secure web gateway logging that captures iframe parent and child origin metadata.
- Alert on user-reported phishing attempts that involve unexpected file downloads from otherwise trusted sites.
How to Mitigate CVE-2026-28971
Immediate Actions Required
- Update all Apple devices to Safari 26.5, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, or visionOS 26.5 as applicable.
- Push the update through MDM to enforce minimum OS versions across the managed fleet.
- Remind users to verify the source of any unexpected download prompt, even when initiated from a trusted site.
Patch Information
Apple addressed the issue with improved UI handling. Patched releases are documented in the Apple Support Advisory #127110, Apple Support Advisory #127115, Apple Support Advisory #127120, and Apple Support Advisory #127121. Apply the relevant update for each affected operating system.
Workarounds
- Configure browser or MDM policies to block automatic downloads from cross-origin iframes where possible.
- Use content filtering at the network edge to restrict ad networks and third-party embed sources known to deliver untrusted content.
- Educate users to inspect downloaded files and avoid opening unexpected installers, even when the originating site appears trusted.
# Example MDM compliance check to enforce minimum patched iOS/iPadOS version
# Replace with your MDM's policy syntax (Jamf, Intune, Kandji, etc.)
required_min_version="26.5"
current_version=$(sw_vers -productVersion)
if [ "$(printf '%s\n' "$required_min_version" "$current_version" | sort -V | head -n1)" != "$required_min_version" ]; then
echo "NON-COMPLIANT: OS version $current_version is below $required_min_version"
exit 1
fi
echo "COMPLIANT: OS version $current_version"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
