Safari 26.5 fixes WebKit bugs that could crash Safari or expose user data

Apple has published the full list of security fixes for Safari 26.5, including a WebKit vulnerability that could let maliciously crafted web content disclose sensitive user information. Here are the details.

Apple releases security content for Safari 26.5

Earlier this week, Apple released iOS 26.5 and its counterparts, along with updates for older versions of iOS, iPadOS, and macOS.

On that same day, the company released the full security content for each update, and you can find more details about it here.

Now, Apple has released the security content for Safari 26.5, which includes fixes for 20 WebKit vulnerabilities, as well as a WebRTC issue that could cause an unexpected process crash.

Here’s the full security content of Safari 26.5:

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

Description: A validation issue was addressed with improved logic.

WebKit Bugzilla: 308906

CVE-2026-43660: Cantina

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

Description: The issue was addressed with improved input validation.

WebKit Bugzilla: 308675

CVE-2026-28907: Cantina

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: This issue was addressed with improved access restrictions.

WebKit Bugzilla: 309698

CVE-2026-28962: Luke Francis, Vaagn Vardanian, kwak kiyong / kakaogames, Vitaly Simonovich, Adel Bouachraoui, greenbynox

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 307669

CVE-2026-43658: Do Young Park

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 308545

CVE-2026-28905: Yuhao Hu, Yuanming Lai, Chenggang Wu, and Zhe Wang

WebKit Bugzilla: 308707

CVE-2026-28847: DARKNAVY (@DarkNavyOrg), Anonymous working with TrendAI Zero Day Initiative, Daniel Rhea

WebKit Bugzilla: 309601

CVE-2026-28904: Luka Rački

WebKit Bugzilla: 310880

CVE-2026-28955: wac and Kookhwan Lee working with TrendAI Zero Day Initiative

WebKit Bugzilla: 310303

CVE-2026-28903: Mateusz Krzywicki (iVerify.io)

WebKit Bugzilla: 309628

CVE-2026-28953: Maher Azzouzi

WebKit Bugzilla: 309861

CVE-2026-28902: Tristan Madani (@TristanInSec) from Talence Security, Nathaniel Oh (@calysteon)

WebKit Bugzilla: 310207

CVE-2026-28901: Aisle offensive security research team (Joshua Rogers, Luigino Camastra, Igor Morgenstern, and Guido Vranken), Maher Azzouzi, Ngan Nguyen of Calif.io

WebKit Bugzilla: 311631

CVE-2026-28913: an anonymous researcher

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 313939

CVE-2026-28883: kwak kiyong / kakaogames

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: An app may be able to access sensitive user data

Description: This issue was addressed with improved data protection.

WebKit Bugzilla: 311228

CVE-2026-28958: Cantina

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: The issue was addressed with improved input validation.

WebKit Bugzilla: 310527

CVE-2026-28917: Vitaly Simonovich

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash

Description: A use-after-free issue was addressed with improved memory management.

WebKit Bugzilla: 310234

CVE-2026-28947: dr3dd

WebKit Bugzilla: 310544

CVE-2026-28946: Gia Bui (@yabeow) from Calif.io, dr3dd, w0wbox

WebKit Bugzilla: 312180

CVE-2026-28942: Milad Nasr and Nicholas Carlini with Claude, Anthropic

WebKit

Available for: macOS Sonoma and macOS Sequoia

Impact: A malicious iframe may use another website’s download settings

Description: The issue was addressed with improved UI handling.

CVE-2026-28971: Khiem Tran

WebKit Bugzilla: 311288

WebRTC

Available for: macOS Sonoma and macOS Sequoia

Impact: Processing maliciously crafted web content may lead to an unexpected process crash

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 311131

CVE-2026-28944: Kenneth Hsu of Palo Alto Networks, Jérôme DJOUDER, dr3dd

If your Mac is compatible with Safari 26.5, it might be a good idea to make sure you’re running the latest version as soon as possible.

To learn more about Apple’s security releases, follow this link.

Worth checking out on Amazon

• David Pogue – ’Apple: The First 50 Years’
• MacBook Neo
• Logitech MX Master 4
• AirPods Pro 3
• AirTag (2nd Generation) – 4 Pack
• Apple Watch Series 11
• Wireless CarPlay adapter