Skip to main content

Apple WebKit CVE-2026-28944

| EUVDEUVD-2026-29253 HIGH
Buffer Overflow (CWE-119)
2026-05-11 apple GHSA-jvf8-r5gx-vr8v
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 17:46 vuln.today
CVSS changed
May 12, 2026 - 15:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.

AnalysisAI

Remote denial of service in Apple WebKit (iOS/iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5) allows unauthenticated network attackers to crash browser processes via maliciously crafted web content exploiting a memory handling flaw. CVSS 7.5 (High) reflects network-based attack with no authentication required, though impact is limited to availability (process crash). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability. SSVC assessment confirms no active exploitation, but marks it as automatable, suggesting potential for future weaponization in drive-by attacks. Apple has released patches across all affected platforms.

Technical ContextAI

This vulnerability affects WebKit, Apple's browser engine used across iOS, iPadOS, macOS, and visionOS for rendering web content in Safari and other applications. The root cause is CWE-119 (Improper Restriction on Operations within Memory Buffer Bounds), a memory safety issue typically associated with buffer overflows or out-of-bounds memory access. When WebKit processes specially crafted web content, improper memory handling triggers an unexpected process termination. The vulnerability resides in the web content rendering pipeline, likely in parsing or layout code paths that handle untrusted input from web pages. CPE data confirms impact across three distinct Apple operating system families: iOS/iPadOS (mobile), macOS (desktop), and visionOS (spatial computing), all sharing the same underlying WebKit codebase.

RemediationAI

Update to the vendor-released patched versions: iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, or visionOS 26.5. Apply updates through system Settings → General → Software Update on iOS/iPadOS/visionOS, or System Settings → General → Software Update on macOS. Detailed security content information and installation instructions are available in Apple's security advisories at https://support.apple.com/en-us/127110 (iOS/iPadOS), https://support.apple.com/en-us/127115 (macOS), and https://support.apple.com/en-us/127120 (visionOS). If immediate patching is not feasible, organizations can implement compensating controls: deploy web content filtering to block access to untrusted or newly-registered domains (reduces exposure to drive-by attacks, but limits legitimate browsing), disable JavaScript in Safari security settings (prevents many exploit delivery mechanisms, but breaks significant web functionality), or restrict users to curated allowlists of approved websites (effective for kiosk/limited-use deployments, impractical for general-purpose systems). Note that these workarounds significantly degrade user experience and should be considered temporary measures only.

Share

CVE-2026-28944 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy