Skip to main content

Apple macOS EUVDEUVD-2026-29254

| CVE-2026-28946 MEDIUM
Use After Free (CWE-416)
2026-05-11 apple GHSA-ch66-7v2f-mvh2
6.5
CVSS 3.1 · Vendor: apple
Share

Severity by source

Vendor (apple) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (apple).

CVSS VectorVendor: apple

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 18:25 vuln.today
CVSS changed
May 12, 2026 - 18:22 NVD
6.5 (MEDIUM)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
MEDIUM 6.5

DescriptionCVE.org

A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Tahoe 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.

AnalysisAI

Denial of service in Apple macOS prior to version 26.5 allows remote attackers to crash Safari via maliciously crafted web content that triggers a use-after-free memory condition. The vulnerability requires user interaction (opening a malicious webpage) but no authentication, affecting all macOS versions before 26.5. EPSS exploitation probability is very low at 0.02%, suggesting limited real-world attack incentive despite the crash capability.

Technical ContextAI

This is a use-after-free vulnerability (CWE-416) in memory management within Safari's web content processing engine. Use-after-free occurs when a program references memory that has already been deallocated; in this case, Safari's content parser fails to properly manage object lifecycles when processing specific HTML/JavaScript constructs in web content. The vulnerability affects the entire macOS platform (CPE: cpe:2.3:a:apple:macos:*:*:*:*:*:*:*:*), indicating the flaw is in core macOS libraries or the Safari browser itself that all macOS versions depend on. The attacker exploits this by crafting web content that triggers premature memory deallocation followed by a subsequent access attempt, causing a crash.

RemediationAI

Vendor-released patch: macOS Tahoe 26.5 or later. Users should immediately update to macOS 26.5 when available through System Settings > General > Software Update. For users unable to immediately patch, the primary compensating control is to restrict or disable Safari's web content processing by configuring macOS parental controls to block access to untrusted websites, though this is impractical for most users. A more feasible interim control is to use alternative browsers (Chrome, Firefox) with their own sandbox isolation; however, this is a workaround, not a fix, as the underlying system libraries may still be vulnerable. The side effect of disabling Safari is loss of native macOS browser functionality and potential compatibility issues with macOS-integrated features (Handoff, iCloud keychain integration with Safari). No server-side mitigations are available; the fix must be applied client-side. See https://support.apple.com/en-us/127115 for patch delivery timeline and technical details.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed

Share

EUVD-2026-29254 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy