CVE-2026-28955 Apple CVE debrief

Who should care

Organizations and users running Apple platforms that process untrusted web content, especially Safari users and fleet administrators managing iPhone, iPad, Mac, Apple TV, Vision Pro, and Apple Watch deployments.

Technical summary

The CVE is rated HIGH (CVSS 7.5) with a network attack vector, low complexity, no privileges required, and no user interaction. NVD maps the weakness to CWE-119 and describes the impact as availability-only: maliciously crafted web content may lead to an unexpected process crash. Apple states the issue is fixed via improved memory handling in Safari 26.5 and in the listed OS releases for iOS/iPadOS 18.7.9 and 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.

Defensive priority

High. The CVSS vector indicates remote, unauthenticated, no-click exposure with a crash-only impact, so patching should be prioritized wherever browsers or embedded web content are exposed to untrusted input.

Recommended defensive actions

• Update Safari to 26.5.
• Apply the Apple security updates for iOS 18.7.9 or iOS 26.5 as applicable.
• Apply the Apple security updates for iPadOS 18.7.9 or iPadOS 26.5 as applicable.
• Update macOS Tahoe to 26.5.
• Update tvOS, visionOS, and watchOS to 26.5.
• Prioritize patching devices that regularly render untrusted web content.
• Verify fleet compliance against the fixed versions listed by Apple and NVD.

Evidence notes

This debrief is based on the CVE record and NVD metadata supplied in the corpus. The CVE description says the issue was addressed with improved memory handling and that maliciously crafted web content may cause an unexpected process crash. NVD supplies CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, CWE-119, and vulnerable CPE ranges ending before the fixed versions. Apple support references in the corpus point to the release-note/vendor-advisory pages for the affected products.

Official resources