Skip to main content

WebKit EUVDEUVD-2026-29235

| CVE-2026-28913 HIGH
Buffer Overflow (CWE-119)
2026-05-11 apple GHSA-7gg5-fpc5-p8qm
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:24 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.

AnalysisAI

WebKit memory corruption vulnerability allows remote attackers to trigger denial-of-service process crashes across Apple's entire operating system ecosystem (iOS, iPadOS, macOS, tvOS, watchOS) when processing maliciously crafted web content. Despite a CVSS score of 7.5 suggesting high confidentiality impact, the vendor description indicates only process crash (availability impact), representing a scoring discrepancy that requires clarification. No active exploitation confirmed (not in CISA KEV), EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, and vendor patches released across all affected platforms in version 26.5.

Technical ContextAI

This vulnerability affects WebKit, Apple's browser engine used across iOS, iPadOS, macOS, tvOS, and watchOS for rendering web content in Safari and embedded web views. The root cause is CWE-119 (Improper Restriction on Operations within Memory Buffer Bounds), commonly manifesting as buffer overflow conditions. WebKit's complex parsing and rendering pipeline processes untrusted web content including HTML, CSS, JavaScript, and multimedia formats. Memory handling flaws in these parsers can be triggered by specially crafted web content that causes out-of-bounds memory access. Apple's fix involved improved memory handling mechanisms, likely implementing additional bounds checking, memory allocation validation, or migrating vulnerable code to memory-safe patterns. The cross-platform nature (affecting CPE entries for all Apple OS families) suggests the vulnerable code resides in shared WebKit components rather than platform-specific integrations.

RemediationAI

Vendor-released patch: Update to iOS/iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, or watchOS 26.5 respectively for each affected platform. Updates can be installed through standard Apple software update mechanisms (Settings > General > Software Update on iOS/iPadOS, System Settings > General > Software Update on macOS, Settings > System > Software Updates on tvOS/watchOS). For environments unable to immediately patch, implement compensating controls: disable JavaScript in Safari (Settings > Safari > Advanced > JavaScript) to reduce attack surface, though this severely degrades web functionality; deploy web content filtering to block access to known-malicious domains; restrict web browsing to essential business sites only via DNS filtering or proxy whitelisting; consider isolating web browsing to sandboxed virtual machines or browser isolation solutions for high-risk users. Note that disabling JavaScript breaks most modern web applications, and content filtering provides only probabilistic protection against zero-hour threats. For embedded systems using WebKit (kiosks, digital signage), implement application allowlisting to restrict content sources to trusted domains only. Complete vendor security advisories: https://support.apple.com/en-us/127110, https://support.apple.com/en-us/127115, https://support.apple.com/en-us/127118, https://support.apple.com/en-us/127119.

Share

EUVD-2026-29235 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy