Apple has released the full security patch notes for Safari 26.5, revealing a number of serious vulnerabilities. One of these would have allowed malicious websites to steal sensitive user data, while others could crash Safari or the underlying browser process. In total, Apple patches 20 WebKit vulnerabilities plus one WebRTC flaw.
The update arrives just two days after the rollout of the major platform updates: Earlier this week, Apple finalized iOS 26.5 after completing the beta phase and simultaneously updated the macOS versions. Safari 26.5 is being delivered separately for macOS Sonoma and macOS Sequoia and contains the security patches that Apple typically documents bundled after OS releases. On newer systems, Safari 26.5 is already part of macOS 26.5; this standalone update is intended for users of the two older macOS versions.
What Safari 26.5 specifically fixes
The focus is on WebKit, Apple's browser engine, which is also used in iOS and iPadOS. In total, Apple is closing 20 WebKit vulnerabilities and one WebRTC bug that could cause an unexpected process crash.
The most serious vulnerability is documented as CVE-2026-28962: Complicated web content could have exposed sensitive user information. Apple addressed the issue with improved access restrictions. The flaw was reported by several researchers, including Luke Francis and Vitaly Simonovich.
Two further WebKit patches address the Content Security Policy. Both CVE-2026-43660 and CVE-2026-28907 could have led to the CSP not being enforced correctly - a key protection mechanism that prevents injected scripts from executing on a website. Apple has patched both vulnerabilities with improved logic and improved input validation, respectively.
Multiple crash vulnerabilities in WebKit
The largest share of the fixed bugs are vulnerabilities that could allow manipulated web content to crash Safari or the rendering process. These include CVE-2026-43658, a memory issue that could directly cause Safari to crash.
A longer list of CVEs (including CVE-2026-28905, CVE-2026-28847, CVE-2026-28904, CVE-2026-28955, CVE-2026-28903, CVE-2026-28953, CVE-2026-28902, CVE-2026-28901 and CVE-2026-28913) was addressed collectively: All could cause unexpected process crashes and were fixed with improved memory handling or improved input validation.
Of particular note is CVE-2026-28883, a so-called use-after-free vulnerability. In this class of flaw, code accesses memory that has already been released – a classic entry point for attackers, as such vulnerabilities can often escalate to code execution. Apple has addressed the problem with improved memory management. Two other use-after-free bugs (CVE-2026-28947 and CVE-2026-28946) are also included in the patch.
Access to sensitive data and iFrame trick
A separate patch addresses CVE-2026-28958: This vulnerability could have allowed an app to access sensitive user data. Apple has addressed this with improved data protection measures.
Also of interest is CVE-2026-28971: A malicious iframe could have abused the download settings of another website. Apple has improved the UI handling in this case. Such vulnerabilities are particularly relevant because iframes are embedded on many pages, and users often cannot identify the origin of the triggered action.
The WebRTC patch
In addition to the WebKit vulnerabilities, Apple is also closing a WebRTC bug (CVE-2026-28944) that could cause an unexpected process crash. WebRTC is the technology behind real-time communication in the browser – including video calls, audio streams, and peer-to-peer connections. The bug was reported by researchers at Palo Alto Networks, among others.
Anthropic researchers on the CVE list
It's noteworthy that among the CVE reporters for CVE-2026-28942 are two Anthropic researchers, Milad Nasr and Nicholas Carlini, who, according to Apple's note, worked with Claude. This aligns with the cybersecurity project that Apple and Anthropic recently launched together, which uses AI models specifically to search for vulnerabilities. The security content for Safari 26.5 now documents the first concrete result of this collaboration.
Why this update is important
Browser vulnerabilities are among the most lucrative targets for attackers because they can often be exploited simply by visiting a compromised website. WebKit is particularly sensitive within Apple's ecosystem because the engine runs not only in Safari but also in every other iOS app that displays web content. Security updates like Safari 26.5 therefore play a central role in Apple's layered protection system, which consists of platform updates, rapid security responses, and targeted patches.
The timing is also no coincidence: Apple traditionally only releases security information once the patches have been distributed. Only then are CVE IDs, descriptions, and the names of the reporting researchers disclosed – a procedure that was recently also evident with the emergency patch iOS 26.4.2, which closed a Signal vulnerability exploited by the FBI.
Here's how to get Safari 26.5
On macOS Sonoma and macOS Sequoia, Safari 26.5 can be installed separately. Mac users of these versions should promptly access the Software Update section in System Preferences. On macOS 26, however, Safari 26.5 is already part of the current system and will be delivered automatically with the platform update. iOS and iPadOS users will receive the same WebKit patches via their respective system updates.
Apple's WebKit hygiene is becoming routine
Safari 26.5 demonstrates how closely Apple is now working on the browser's underlying architecture – and how deeply external security research is integrated into the process. With 20 WebKit patches in a single update, this release isn't a typical feature release, but rather a pure security package. For users of older macOS versions, installing the update isn't optional, but mandatory – browser vulnerabilities are one of the most common ways attackers gain a foothold in a system. (Image: Shutterstock / Mamun_Sheikh)
- WhatsApp introduces Incognito Chats with Meta AI
- Apple sides with Google in the EU DMA dispute
- "Fútbol is life" becomes reality: Ted Lasso star Cristo Fernández signs professional contract
- Survey: Foldable smartphones and AI offer little incentive to switch
- Foxconn confirms ransomware attack on North American plants
- The iPhone 17 further increases Apple's market share in the US
- Quick Share meets AirDrop: Google opens file sharing to more Android devices
- Apple is using AI-generated presenters in its own app for the first time
- Severance Season 3 is coming much faster than the last one
- Apple acquires Color.io developer Patchflyer for Creator Studio
- Apple Arcade in May and June: Bluey event plus four new titles
- WhatsApp: Beta reveals next Liquid Glass level for chats
- Tim Cook flies to China with Trump
- OpenAI launches Daybreak in response to Anthropic's Glasswing program
- Apple releases recordings from the PPML workshop 2026
- Court approves Apple's Samsung request in DOJ antitrust case
- iOS 26.5 opens up AirPods functionality to third-party wearables in the EU
- iOS 26.5 closes over 50 security vulnerabilities at once
- RCS messages are encrypted: Apple launches beta in iOS 26.5
- iOS 26.5 is here: An overview of all the new features
