Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-43745

CVE-2026-43745: Apple Safari DOS Vulnerability

CVE-2026-43745 is a denial of service vulnerability in Apple Safari caused by an out-of-bounds write flaw. Malicious web content can crash Safari unexpectedly. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-43745 Overview

CVE-2026-43745 is an out-of-bounds write vulnerability [CWE-787] affecting Apple Safari and multiple Apple operating systems. Processing maliciously crafted web content can trigger an unexpected Safari crash, resulting in a denial-of-service condition. The issue was addressed with improved input validation.

Apple fixed the flaw in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2. Exploitation requires user interaction, typically by convincing a target to visit a crafted webpage. No public exploit is available, and CISA has not added the CVE to the Known Exploited Vulnerabilities catalog.

Critical Impact

Remote attackers can crash Safari on unpatched Apple devices by serving malicious web content, disrupting browsing sessions across iOS, iPadOS, and macOS.

Affected Products

  • Apple Safari (versions prior to 26.5.2)
  • Apple iOS and iPadOS (versions prior to 26.5.2)
  • Apple macOS Tahoe (versions prior to 26.5.2)

Discovery Timeline

  • 2026-06-29 - CVE-2026-43745 published to NVD
  • 2026-06-30 - Last updated in NVD database

Technical Details for CVE-2026-43745

Vulnerability Analysis

The vulnerability resides in Safari's handling of web content, where malformed input crosses a memory boundary during processing. An out-of-bounds write [CWE-787] occurs when a program writes data past the end, or before the beginning, of an allocated buffer. In this case, the write corrupts adjacent memory and induces a Safari crash.

The advisory scope covers Safari on macOS as well as the WebKit-based browsing stack shipped with iOS and iPadOS. Apple's remediation description states the fix implements improved input validation, indicating the root cause is missing or insufficient bounds checking on attacker-controlled data. The observed impact is limited to availability, with no reported confidentiality or integrity effects.

Root Cause

The underlying defect is improper validation of input parsed from web content. When Safari encounters a specifically crafted structure, the code path writes beyond an allocated buffer. Apple's patch introduces additional validation checks before the memory write occurs, preventing the out-of-bounds access.

Attack Vector

Exploitation is network-based and requires user interaction. An attacker hosts a malicious webpage, phishing link, or embedded iframe containing the crafted content. When a user on an unpatched device loads the page in Safari, the browser process crashes. The advisory does not describe code execution, and the CVSS impact profile reflects availability loss only.

Because no verified proof-of-concept code has been published, the vulnerability is described in prose. See the Apple Support Advisory #127594 for vendor details.

Detection Methods for CVE-2026-43745

Indicators of Compromise

  • Repeated Safari process crashes (com.apple.Safari) with WebKit-related crash reports in ~/Library/Logs/DiagnosticReports/ on macOS.
  • Users reporting Safari tab crashes shortly after visiting a specific URL or advertisement.
  • Crash signatures referencing WebCore or JavaScriptCore frames with out-of-bounds memory access.

Detection Strategies

  • Collect and centralize macOS diagnostic crash reports to identify clusters of Safari terminations tied to a common referring URL.
  • Correlate web proxy or DNS telemetry with reported crashes to surface the malicious domain serving the crafted content.
  • Inventory Apple endpoints to flag devices running Safari, iOS, iPadOS, or macOS Tahoe versions below 26.5.2.

Monitoring Recommendations

  • Monitor endpoint telemetry for abnormal Safari process termination rates across managed macOS fleets.
  • Track outbound HTTP/HTTPS destinations from Safari for previously unseen domains preceding crash events.
  • Alert on mobile device management (MDM) records reporting outdated iOS and iPadOS builds after the patch release.

How to Mitigate CVE-2026-43745

Immediate Actions Required

  • Update Safari to version 26.5.2 on macOS endpoints.
  • Upgrade iOS and iPadOS devices to 26.5.2 through MDM or Software Update.
  • Upgrade macOS Tahoe systems to 26.5.2 to receive the bundled WebKit fix.
  • Prioritize patching for users who browse untrusted sites or handle high-value accounts.

Patch Information

Apple addressed the issue in Safari 26.5.2, iOS 26.5.2, iPadOS 26.5.2, and macOS Tahoe 26.5.2. Refer to the vendor advisories for exact build numbers and rollout guidance: Apple Support Advisory #127594, Apple Support Advisory #127595, and Apple Support Advisory #127685.

Workarounds

  • Restrict Safari usage on unpatched devices and direct users to an alternate, patched browser until updates are applied.
  • Enforce web filtering to block access to untrusted or newly registered domains that could host malicious content.
  • Disable JavaScript in Safari preferences for high-risk users where feasible, accepting the loss of site functionality.
bash
# Verify Safari version on macOS
mdls -name kMDItemVersion /Applications/Safari.app

# Trigger software update check on macOS
sudo softwareupdate --list
sudo softwareupdate --install --all --restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.