Skip to main content

WebKit CVE-2026-28905

| EUVDEUVD-2026-29230 HIGH
Buffer Overflow (CWE-119)
2026-05-11 apple GHSA-523x-p7vc-qqv3
7.5
CVSS 3.1 · Vendor: apple
Share

Severity by source

Vendor (apple) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (apple).

CVSS VectorVendor: apple

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 17:46 vuln.today
CVSS changed
May 12, 2026 - 15:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.

AnalysisAI

Memory corruption in WebKit across Apple platforms (iOS, iPadOS, macOS, tvOS, visionOS) allows remote attackers to access sensitive information via malicious web content. CVSS vector indicates network-based exploitation requiring no user interaction or authentication (AV:N/AC:L/PR:N/UI:N), contradicting the description's 'process crash' outcome with the High Confidentiality impact rating. EPSS score of 0.02% (5th percentile) suggests low real-world exploitation probability. Vendor patches available for all affected platforms (version 26.5). SSVC framework rates this as automatable with partial technical impact but no observed exploitation.

Technical ContextAI

This vulnerability affects WebKit, Apple's browser engine used across iOS, iPadOS, macOS, tvOS, and visionOS for rendering web content in Safari and in-app web views. Classified as CWE-119 (Improper Restriction of Operations within Memory Buffer Bounds), the flaw represents a buffer overflow or related memory safety issue in WebKit's content processing pipeline. The CPE strings identify all major Apple operating systems as affected, indicating the vulnerability exists in shared WebKit code rather than platform-specific implementations. Memory handling bugs in browser engines are critical attack surfaces because they process untrusted content from arbitrary websites. The CVSS vector's High Confidentiality impact combined with No Integrity/Availability impact suggests potential information disclosure rather than code execution, which conflicts with typical buffer overflow exploitation patterns that usually enable arbitrary code execution (CIA impact).

RemediationAI

Update all affected Apple devices to version 26.5 or later: iOS 26.5 and iPadOS 26.5 for mobile devices, macOS Tahoe 26.5 for desktop systems, tvOS 26.5 for Apple TV devices, and visionOS 26.5 for Vision Pro headsets. Vendor-confirmed patches are available through standard Apple Software Update mechanisms as documented in Apple security advisories HT127110, HT127115, HT127118, and HT127120. For organizations unable to immediately deploy OS updates, implement network-layer web filtering to block access to known malicious domains and restrict web browsing to trusted sites only, though this provides incomplete protection since the vulnerability affects any web content processing including embedded web views in applications. Content Security Policy (CSP) headers and sandboxing of web content do not mitigate this memory corruption issue as it occurs within the rendering engine itself. No effective workaround exists beyond OS update given the fundamental nature of WebKit in the Apple ecosystem-disabling Safari leaves other applications using WebKit web views vulnerable.

CVE-2026-39868 CRITICAL
9.1 Jun 29

Kernel memory corruption in Apple iOS/iPadOS (before 26.5.2) and macOS Tahoe (before 26.5.2) allows a malicious or compr

CVE-2026-43715 HIGH
8.8 Jun 29

Memory corruption in Apple's WebKit browser engine (Safari and the system WebView on iOS, iPadOS, and macOS before 26.5.

CVE-2026-43705 HIGH
8.8 Jun 29

Memory corruption via type confusion in Apple's WebKit browser engine allows attackers to corrupt memory by luring a vic

CVE-2026-43731 HIGH
8.8 Jun 29

Memory corruption via use-after-free in Apple's WebKit browser engine allows remote attackers to corrupt memory when a v

CVE-2026-28847 HIGH
8.8 May 11

Memory-corruption crash in Apple's WebKit web-content engine lets a malicious website terminate the content-rendering pr

CVE-2026-28955 HIGH
8.8 May 11

The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and

CVE-2026-28947 HIGH
8.8 May 11

Use-after-free in WebKit allows remote attackers to trigger Safari crashes and potentially achieve arbitrary code execut

CVE-2026-43735 HIGH
8.1 Jun 29

The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS

CVE-2026-28907 HIGH
8.1 May 11

Content Security Policy bypass in Apple's WebKit-based platforms (iOS, iPadOS, macOS Tahoe, tvOS, visionOS, watchOS) all

CVE-2026-43724 HIGH
7.8 Jun 29

Local privilege escalation and kernel memory corruption in Apple iOS, iPadOS (before 26.5.2) and macOS Tahoe (before 26.

CVE-2026-28904 HIGH
7.5 May 11

Memory corruption in WebKit across Apple's ecosystem enables confidentiality breach via malicious web content without us

CVE-2026-28953 HIGH
7.5 May 11

Information disclosure in Apple WebKit's web content processing engine allows remote attackers to read sensitive memory

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed

Share

CVE-2026-28905 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy