CVE-2026-28947

Apple · Safari, iOS, iPadOS, macOS, tvOS, visionOS, watchOS

A use-after-free vulnerability in Apple products allows for potential arbitrary code execution when processing maliciously crafted web content.

Executive summary

A critical use-after-free vulnerability in Apple software could allow remote attackers to execute arbitrary code via malicious web content.

Vulnerability

This is a use-after-free memory management vulnerability. According to the CVSS vector (AV:N/PR:N/UI:R), this requires user interaction, such as visiting a compromised website, and can be triggered by an unauthenticated remote attacker.

Business impact

Exploitation of this vulnerability could lead to a complete system compromise, including unauthorized data access and the execution of malicious code. With a CVSS score of 8.8, the risk is severe, particularly for enterprise environments where users frequently access diverse web content, increasing the exposure window for browser-based attacks.

Remediation

Immediate Action: Update Safari and all affected Apple operating systems to version 26.5 or later immediately.

Proactive Monitoring: Review web filtering and proxy logs for connections to suspicious or newly registered domains that may be hosting malicious payloads.

Compensating Controls: Utilize endpoint protection software capable of detecting memory-based exploitation patterns and browser-level malicious content.

Exploitation status

Public Exploit Available: Unknown — no confirmed weaponized exploit or public PoC identified in provided data.

Analyst recommendation

The reliance on user interaction does not diminish the severity of this flaw, as it can be easily triggered through common web browsing activities. Organizations must ensure that browser and OS updates are deployed urgently to mitigate the risk of remote compromise.