CVE-2026-43745 Overview
CVE-2026-43745 is an out-of-bounds write vulnerability [CWE-787] affecting Apple Safari and multiple Apple operating systems. Processing maliciously crafted web content can trigger an unexpected Safari crash, resulting in a denial-of-service condition. The issue was addressed with improved input validation.
Apple fixed the flaw in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2. Exploitation requires user interaction, typically by convincing a target to visit a crafted webpage. No public exploit is available, and CISA has not added the CVE to the Known Exploited Vulnerabilities catalog.
Critical Impact
Remote attackers can crash Safari on unpatched Apple devices by serving malicious web content, disrupting browsing sessions across iOS, iPadOS, and macOS.
Affected Products
- Apple Safari (versions prior to 26.5.2)
- Apple iOS and iPadOS (versions prior to 26.5.2)
- Apple macOS Tahoe (versions prior to 26.5.2)
Discovery Timeline
- 2026-06-29 - CVE-2026-43745 published to NVD
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-43745
Vulnerability Analysis
The vulnerability resides in Safari's handling of web content, where malformed input crosses a memory boundary during processing. An out-of-bounds write [CWE-787] occurs when a program writes data past the end, or before the beginning, of an allocated buffer. In this case, the write corrupts adjacent memory and induces a Safari crash.
The advisory scope covers Safari on macOS as well as the WebKit-based browsing stack shipped with iOS and iPadOS. Apple's remediation description states the fix implements improved input validation, indicating the root cause is missing or insufficient bounds checking on attacker-controlled data. The observed impact is limited to availability, with no reported confidentiality or integrity effects.
Root Cause
The underlying defect is improper validation of input parsed from web content. When Safari encounters a specifically crafted structure, the code path writes beyond an allocated buffer. Apple's patch introduces additional validation checks before the memory write occurs, preventing the out-of-bounds access.
Attack Vector
Exploitation is network-based and requires user interaction. An attacker hosts a malicious webpage, phishing link, or embedded iframe containing the crafted content. When a user on an unpatched device loads the page in Safari, the browser process crashes. The advisory does not describe code execution, and the CVSS impact profile reflects availability loss only.
Because no verified proof-of-concept code has been published, the vulnerability is described in prose. See the Apple Support Advisory #127594 for vendor details.
Detection Methods for CVE-2026-43745
Indicators of Compromise
- Repeated Safari process crashes (com.apple.Safari) with WebKit-related crash reports in ~/Library/Logs/DiagnosticReports/ on macOS.
- Users reporting Safari tab crashes shortly after visiting a specific URL or advertisement.
- Crash signatures referencing WebCore or JavaScriptCore frames with out-of-bounds memory access.
Detection Strategies
- Collect and centralize macOS diagnostic crash reports to identify clusters of Safari terminations tied to a common referring URL.
- Correlate web proxy or DNS telemetry with reported crashes to surface the malicious domain serving the crafted content.
- Inventory Apple endpoints to flag devices running Safari, iOS, iPadOS, or macOS Tahoe versions below 26.5.2.
Monitoring Recommendations
- Monitor endpoint telemetry for abnormal Safari process termination rates across managed macOS fleets.
- Track outbound HTTP/HTTPS destinations from Safari for previously unseen domains preceding crash events.
- Alert on mobile device management (MDM) records reporting outdated iOS and iPadOS builds after the patch release.
How to Mitigate CVE-2026-43745
Immediate Actions Required
- Update Safari to version 26.5.2 on macOS endpoints.
- Upgrade iOS and iPadOS devices to 26.5.2 through MDM or Software Update.
- Upgrade macOS Tahoe systems to 26.5.2 to receive the bundled WebKit fix.
- Prioritize patching for users who browse untrusted sites or handle high-value accounts.
Patch Information
Apple addressed the issue in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2. Refer to the vendor advisories for exact build numbers and rollout guidance: Apple Support Advisory #127594, Apple Support Advisory #127595, and Apple Support Advisory #127685.
Workarounds
- Restrict Safari usage on unpatched devices and direct users to an alternate, patched browser until updates are applied.
- Enforce web filtering to block access to untrusted or newly registered domains that could host malicious content.
- Disable JavaScript in Safari preferences for high-risk users where feasible, accepting the loss of site functionality.
# Verify Safari version on macOS
mdls -name kMDItemVersion /Applications/Safari.app
# Trigger software update check on macOS
sudo softwareupdate --list
sudo softwareupdate --install --all --restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

