CVE-2026-28857 is a memory handling vulnerability in Apple Safari that can be triggered by processing specially crafted web content. The underlying issues include out-of-bounds reads (CWE-125), improper memory operations (CWE-787), and use-after-free conditions (CWE-416), which collectively lead to unexpected process crashes. This vulnerability affects multiple Apple platforms including Safari on iOS, iPadOS, macOS Tahoe, and visionOS prior to version 26.4. The attack vector is remote, requiring no privileges but necessitating user interaction, such as visiting a malicious or compromised website. The flaw does not allow for data disclosure or code execution but impacts availability by causing denial-of-service through browser crashes. Apple addressed the issue by improving memory handling in Safari 26.4 and corresponding OS updates. The CVSS v3.1 base score is 6.5, reflecting a medium severity level due to the impact on availability and ease of exploitation without privileges. No public exploits have been reported, but the vulnerability could be leveraged for targeted denial-of-service attacks against users of affected Apple devices.

The primary impact of CVE-2026-28857 is denial-of-service through unexpected browser process crashes, which can disrupt user productivity and access to web resources. For organizations, this can translate into operational interruptions, especially in environments heavily reliant on Safari for web applications or internal portals. While the vulnerability does not compromise confidentiality or integrity, repeated crashes could be exploited to degrade service availability or as part of a larger attack chain. Enterprises with large Apple device deployments, including macOS and iOS users, are at risk of widespread disruption if malicious web content is encountered. Additionally, sectors such as finance, healthcare, and government that depend on stable and secure browsing environments may face increased operational risks. The lack of known exploits reduces immediate threat but does not eliminate the risk of future weaponization.

Organizations should promptly update Safari to version 26.4 or later and ensure all Apple devices are running the corresponding OS updates (iOS 26.4, iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4). Employ web content filtering and URL reputation services to block access to potentially malicious websites that could exploit this vulnerability. Educate users about the risks of interacting with untrusted web content and encourage cautious browsing behavior. Implement endpoint protection solutions capable of detecting abnormal browser crashes or suspicious memory activity. For managed environments, consider deploying configuration policies that restrict the use of outdated Safari versions and enforce automatic updates. Monitor security advisories from Apple for any emerging exploit reports or additional patches. Finally, maintain regular backups and incident response plans to quickly recover from potential denial-of-service impacts.