CVE-2026-43658 Overview
CVE-2026-43658 is a memory handling vulnerability affecting Apple's Safari browser and multiple operating systems. Processing maliciously crafted web content can trigger an unexpected Safari crash, resulting in denial of service. The flaw is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). Apple addressed the issue with improved memory handling in Safari 26.5, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. The vulnerability is exploitable over the network without authentication or user interaction beyond visiting a malicious web page.
Critical Impact
A remote attacker can crash Safari on any unpatched Apple device by serving malicious web content, impacting availability across the Apple device ecosystem.
Affected Products
- Apple iOS and iPadOS (prior to 26.5)
- Apple macOS Tahoe (prior to 26.5), tvOS, visionOS, watchOS (prior to 26.5)
- Apple Safari (prior to 26.5)
Discovery Timeline
- 2026-05-11 - CVE-2026-43658 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43658
Vulnerability Analysis
The vulnerability resides in the memory handling logic used when Safari processes web content. When a victim visits a page containing maliciously crafted markup, scripts, or media, the browser engine mishandles memory operations and terminates unexpectedly. Apple's advisory characterizes the resolution as "improved memory handling," consistent with a memory safety defect in the rendering pipeline.
The shared codebase across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS means the same flaw extends across Apple's product line. While the public disclosure describes the impact as an unexpected crash, memory safety defects of this class frequently warrant additional scrutiny because they can sometimes be chained with other primitives.
Root Cause
The root cause is improper memory handling within the WebKit-based content processing path. Apple's advisory does not publicly detail the exact memory operation or object lifecycle that fails. The [CWE-119] classification indicates operations occur outside the intended bounds of a memory buffer, which can include out-of-bounds reads, writes, or related boundary violations.
Attack Vector
Exploitation requires an attacker to deliver maliciously crafted web content to a victim's browser. This is achievable through direct links, compromised websites, malicious advertisements, or embedded web views within other applications. No authentication or prior access to the device is required. The attacker does not need any privileges and the attack complexity is low, making opportunistic exploitation feasible at scale.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Technical specifics of the trigger condition are not publicly documented. Refer to the Apple Security Advisory #127121 for vendor-provided details.
Detection Methods for CVE-2026-43658
Indicators of Compromise
- Unexpected and repeated Safari or WebKit-based application crashes across iOS, iPadOS, macOS, tvOS, visionOS, or watchOS endpoints.
- Crash reports referencing WebKit components such as com.apple.WebKit.WebContent generated immediately after visiting a specific URL.
- Outbound traffic to unfamiliar domains immediately preceding browser process termination on managed Apple devices.
Detection Strategies
- Collect and centralize macOS and iOS crash logs from ~/Library/Logs/DiagnosticReports/ and MDM telemetry to identify clustering of WebKit-related crashes.
- Correlate browser crash events with web proxy logs to identify the originating URL or domain serving the crafted content.
- Monitor endpoint detection telemetry for abnormal process termination patterns affecting Safari and embedded WebKit views.
Monitoring Recommendations
- Track Apple device OS versions through enterprise mobility management to identify endpoints still running pre-26.5 builds.
- Alert when devices below the patched baseline browse external websites to surface remaining exposure.
- Review web gateway logs for repeated requests to URLs immediately followed by user-reported browser instability.
How to Mitigate CVE-2026-43658
Immediate Actions Required
- Update all Apple devices to Safari 26.5, iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, or watchOS 26.5.
- Prioritize patching internet-facing user devices and devices used by privileged personnel.
- Use MDM solutions to enforce minimum OS versions and verify compliance across the fleet.
Patch Information
Apple released fixes in Safari 26.5 and the corresponding OS updates 26.5 across iOS, iPadOS, macOS Tahoe, tvOS, visionOS, and watchOS. Refer to the vendor advisories for build numbers and download links: Apple Security Advisory #127110, Apple Security Advisory #127115, Apple Security Advisory #127118, Apple Security Advisory #127119, Apple Security Advisory #127120, and Apple Security Advisory #127121.
Workarounds
- Restrict browsing to trusted sites through web filtering policies until patches are applied across the fleet.
- Use enterprise web gateways to block known malicious domains and inspect content delivered to Apple endpoints.
- Disable JavaScript in Safari for high-risk user groups as a temporary control where operationally feasible.
# Verify installed macOS version meets the patched baseline
sw_vers -productVersion
# Trigger an Apple software update check on macOS
sudo softwareupdate --list
sudo softwareupdate --install --all --restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
