Skip to content
💻 AppSec

Apple Releases Safari and WebKit Security Update Patching Memory Corruption and CSP Bypass Vulnerabilities

Apple released a security update for Safari and WebKit on 13 May addressing more than ten vulnerabilities including memory corruption flaws enabling potential arbitrary code execution and a Content Security Policy bypass allowing cross-origin data access. The update applies to macOS Ventura, Sonoma, Sequoia, iOS, and iPadOS. Users should update immediately given WebKit's role as the rendering engine for all iOS browsers.

3 min read
#apple#webkit#safari#csp-bypass#memory-corruption
Article software-development-security

Apple released a security update for Safari and the underlying WebKit engine on 13 May, patching more than ten vulnerabilities including memory corruption issues with potential for arbitrary code execution and a Content Security Policy bypass that can enable cross-origin data leakage. The update is available for macOS Ventura, macOS Sonoma, macOS Sequoia, iOS 19, and iPadOS 19.

Notable Vulnerabilities

Memory Corruption (Multiple CVEs including CVE-2026-43660, CVE-2026-43658): Several of the patched flaws involve out-of-bounds reads and writes in WebKit’s JavaScript engine and media handling code. Apple’s security notes describe them as potentially enabling “unexpected process crashes or arbitrary code execution” when processing maliciously crafted web content. Two of the memory corruption flaws are rated as potentially exploitable in targeted attacks, though Apple has not confirmed active in-the-wild exploitation.

Content Security Policy Bypass (CVE-2026-28907): A logic error in WebKit’s CSP enforcement allows a malicious page to exfiltrate data from a CSP-restricted context in violation of the page’s declared content security policy. CSP is a defence-in-depth mechanism against XSS; a bypass of this nature undermines the assumption that declared CSP policies provide binding security guarantees. This is particularly relevant for web applications using CSP to restrict data exfiltration in their user-facing interfaces.

Cross-Origin Data Leak (CVE-2026-28962): An issue in the handling of certain resource loads can expose data from cross-origin frames, potentially enabling a malicious web page to read content from pages loaded in other origins — including content behind authentication.

Enterprise Significance

For enterprises managing Apple device fleets, this update is significant on two fronts:

  1. All iOS browsers use WebKit: Apple’s App Store rules require all iOS web browsers to use WebKit as their rendering engine. This means Safari, Chrome, Firefox, Edge, and every other iOS browser is affected by WebKit vulnerabilities. Patching iOS updates all of them simultaneously.

  2. macOS enterprise management: Safari updates on macOS can be deployed via MDM (Jamf, Microsoft Intune for Mac, or Apple Business Manager). Security teams should confirm update deployment policies include Safari and not just macOS system updates.

  • Apply immediately: Update Safari, iOS, and macOS to the latest versions. On macOS, check System Settings → General → Software Update. On iOS/iPadOS, navigate to Settings → General → Software Update.
  • Enterprise MDM: Deploy the update via your MDM platform. Verify that browser update policies cover Safari on managed macOS devices and that iOS supervised device policies have automatic updates enabled.
  • CSP audit: For web applications that rely on Content Security Policy as a security control, note that CVE-2026-28907 represents a period where CSP enforcement was potentially bypassable in WebKit. Review whether any anomalous CSP-restricted requests were logged during the vulnerability window.

Share this article

Related Intelligence

💻 AppSec

Over 400 Arch Linux AUR Packages Poisoned with eBPF Rootkit in Coordinated Maintainer Compromise

More than 400 packages in the Arch Linux User Repository were compromised by an attacker who spoofed trusted maintainer identities to push malicious preinstall scripts. The scripts deploy an ELF infostealer harvesting developer credentials and an optional eBPF rootkit that persists across package removal attempts.

#supply-chain +5
💻 AppSec

Miasma / Shai Hulud Supply Chain Campaign: 100+ npm and PyPI Packages Compromised Including Red Hat Namespace

Security researchers have attributed a coordinated software supply chain attack to a threat cluster tracked as Miasma (also Shai Hulud), which compromised over 100 packages across npm and PyPI by stealing publisher credentials and injecting malicious code. The campaign reached the official Red Hat npm namespace, exposing organisations that rely on internal package mirror strategies as a security control.

#supply-chain +8
💻 AppSec

The AI Infrastructure Security Deficit: Langflow, LiteLLM, and a Repeating Pattern

Two AI infrastructure components — Langflow and LiteLLM — have reached the CISA Known Exploited Vulnerabilities catalogue in June 2026, both with command injection vulnerabilities in Python-based AI tooling. The pattern reflects a systemic gap: AI infrastructure is being deployed in enterprise environments under procurement and security processes designed for end-user applications, not for server-side infrastructure with network-accessible APIs.

#ai-infrastructure +9