CVE-2026-28946

Description

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, macOS Tahoe 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* - VULNERABLE

Safari < 26.5

macOS Tahoe < 26.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Conceptual PoC for Safari UAF -->
<html>
<body>
<script>
    // Step 1: Create a target DOM element
    let target = document.createElement('div');
    document.body.appendChild(target);

    // Step 2: Define a function that triggers the internal free logic
    function triggerVulnerability() {
        // Removing the element may trigger internal destruction
        document.body.removeChild(target);
        // In a real scenario, specific timing or API calls are needed to free the underlying object
    }

    // Step 3: Trigger the free
    triggerVulnerability();

    // Step 4: Attempt to access the freed object (Use-After-Free)
    // This access attempts to read from the freed memory, causing a crash or info leak
    try {
        console.log(target.innerHTML);
    } catch (e) {
        console.log("PoC execution triggered");
    }
</script>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-28946
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-28946
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-28946/
[4] VulDB https://vuldb.com/cve/CVE-2026-28946
[5] https://support.apple.com/en-us/127115
[6] https://support.apple.com/en-us/127121

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-28946", "sourceIdentifier": "[email protected]", "published": "2026-05-11T21:18:55.740", "lastModified": "2026-05-13T21:16:43.690", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, macOS Tahoe 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.5", "matchCriteriaId": "6CB91417-90A8-4A9B-A1D0-1D94B80EF837"}]}]}], "references": [{"url": "https://support.apple.com/en-us/127115", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127121", "source": "[email protected]"}]}}