CVE-2026-28859

CWE-125 — Out-of-bounds Read CWE-416 — Use After Free CWE-787 — Out-of-bounds Write CWE-120 — Classic Buffer Overflow8 documents8 sources

Severity

4.3MEDIUM

EPSS

0.0%

top 88.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple IOS AND Ipados Apple Macos Apple Safari +5 more

Timeline

PublishedMar 25

Latest updateMar 30

Description

The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. A malicious website may be able to process restricted web content outside the sandbox.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages14 packages

▶CVEListV5apple/tvos< 26.4

▶NVDapple/tvos< 26.4

▶CVEListV5apple/macos< 26.4

▶NVDapple/macos< 26.4

▶CVEListV5apple/safari< 26.4

🔴Vulnerability Details

OSV

CVE-2026-28859: The issue was addressed with improved memory handling↗2026-03-25

▶

GHSA

GHSA-q74v-rxg6-m2w6: The issue was addressed with improved memory handling↗2026-03-25

▶

CVEList

CVE-2026-28859: The issue was addressed with improved memory handling↗2026-03-25

▶

📋Vendor Advisories

Red Hat

webkitgtk: A malicious website may be able to process restricted web content outside the sandbox↗2026-03-28

▶

Debian

CVE-2026-28859: webkit2gtk - The issue was addressed with improved memory handling. This issue is fixed in Sa...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-28859 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-28859 webkitgtk: A malicious website may be able to process restricted web content outside the sandbox [fedora-all]↗2026-03-30

▶