Apple has released Safari 26.5, addressing 20 WebKit vulnerabilities and a WebRTC flaw that could enable malicious web content to crash the browser or expose sensitive user data. The update, available for macOS Sonoma and macOS Sequoia, arrives alongside Apple’s broader iOS 26.5 and macOS updates released earlier this week.
Critical WebKit Vulnerabilities Patched
Among the most severe issues is CVE-2026-28962, which could allow crafted web content to disclose sensitive user information through inadequate access restrictions. Multiple researchers, including Luke Francis and teams from Kakaogames and TrendAI’s Zero Day Initiative, contributed to its discovery. Several other flaws, such as CVE-2026-43658 and CVE-2026-28905, could trigger unexpected Safari or process crashes due to improper memory handling.
The update also resolves two Content Security Policy (CSP) bypass vulnerabilities — CVE-2026-43660 and CVE-2026-28907 — reported by the security research group Cantina. These issues could prevent CSP from being enforced, potentially allowing attackers to execute unauthorized scripts. Apple addressed them with improved input validation and logic corrections.
Memory Management and Data Protection Fixes
A use-after-free vulnerability, CVE-2026-28883, could lead to process crashes when processing malicious web content, and was fixed through enhanced memory management. Another issue, CVE-2026-28958, posed a risk of unauthorized app access to sensitive user data, resolved with improved data protection measures. Additional crashes tied to input validation flaws, including CVE-2026-28917 and several use-after-free cases reported by researchers such as dr3dd and Anthropic’s Milad Nasr, have also been patched.
WebRTC and iframe Security Enhancements
Safari 26.5 closes a WebRTC vulnerability, CVE-2026-28944, that could cause unexpected process crashes, reported by researchers from Palo Alto Networks and others. A separate iframe-related issue, CVE-2026-28971, allowed malicious iframes to hijack another website’s download settings, addressed through improved UI handling. Apple credits researcher Khiem Tran for this finding.
Implications for Enterprise Security Teams
For organizations managing macOS fleets, this update underscores the importance of prompt patch deployment, particularly given the breadth of crash-inducing and data-exposure vectors. The involvement of multiple independent researchers and coordinated disclosure programs highlights the ongoing threat landscape targeting WebKit, the engine underpinning Safari and numerous third-party browsers. Enterprises should prioritize testing and rolling out Safari 26.5 to mitigate risks from crafted web content that could compromise both user privacy and system stability.
— Originally reported by 9to5Mac. Adapted and republished with editorial context for MacThreat.
