Apple’s Safari 26.5 update for macOS Sonoma, macOS Sequoia, iOS 26.5 and iPadOS 26.5 closes 20 WebKit vulnerabilities and a WebRTC issue that could crash the browser or leak user data. The article explains the technical nature of the fixes, why they matter for web developers, and how to verify that the patches are applied in your apps.
Safari 26.5 patches 20 WebKit flaws and a WebRTC crash bug
Apple released Safari 26.5 alongside iOS 26.5, iPadOS 26.5 and the macOS Sonoma / Sequoia updates. The accompanying security advisory lists 20 WebKit vulnerabilities and one WebRTC bug that could cause a browser crash or expose sensitive data. For developers who maintain web content or native hybrid apps, understanding the underlying issues and confirming that the patches are in place is essential.
Platform update
- Supported OS versions – macOS Sonoma (14.x) and macOS Sequoia (15.x). The same binary is bundled with iOS 26.5 and iPadOS 26.5, so any device running those releases receives the Safari patches automatically.
- CVE summary – Apple assigned CVE‑2026‑28905 through CVE‑2026‑28971 to the WebKit bugs and CVE‑2026‑28944 to the WebRTC issue. Most of the vulnerabilities are use‑after‑free or input‑validation errors that could be triggered by specially crafted HTML, JavaScript, or WebRTC frames.
- Official advisory – The full list is published on Apple’s security updates page. Each entry links to a Bugzilla ticket (e.g., Bug 308906) that contains the technical description and the patch diff.
Developer impact
1. Content‑Security‑Policy bypasses
Several bugs (e.g., CVE‑2026‑43660, CVE‑2026‑28907) allowed malicious pages to sidestep CSP headers. If your site relies on CSP to block inline scripts or restrict resource origins, an attacker could inject code that runs with the same privileges as your legitimate content. The fix adds stricter validation of script‑source attributes and tighter enforcement of the CSP evaluation order.
What to check
- Verify that your CSP header is still being sent correctly (
Content‑Security‑Policy: …). - Test with the CSP Evaluator extension on Safari 26.5 to ensure no silent downgrade occurs.
2. Memory‑corruption crashes
A cluster of use‑after‑free bugs (e.g., CVE‑2026‑28958, CVE‑2026‑28917) could cause Safari to crash when processing malformed DOM nodes or WebGL textures. While the crash is a client‑side issue, it can be weaponized in a phishing scenario: a malicious page could force a crash, hide the original content, and display a spoofed login form.
What to check
- Run your site through Safari’s Web Inspector → Console → Errors while loading typical user flows. Look for “EXC_BAD_ACCESS” or “use‑after‑free” messages.
- Enable the WebKit Debugging flag in Xcode (
WebKitDebuggingEnabled) for native WebView containers to surface the same checks in your hybrid apps.
3. Data‑exposure via iframe sandboxing
CVE‑2026‑28883 introduced a path where an iframe could read data from a sibling frame that had different download settings. This could leak cookies or local storage values from a trusted domain when the attacker controls a sub‑resource.
What to check
- Audit every
<iframe sandbox>attribute you use. Ensure theallow‑same‑originflag is only set when absolutely necessary. - Test with the Safari Privacy Report (Settings → Safari → Privacy Report) after loading a page that embeds third‑party iframes.
4. WebRTC process‑crash bug
The WebRTC issue (CVE‑2026‑28944) could terminate the rendering process when handling a malformed SDP packet. For apps that embed WebRTC via RTCPeerConnection, an attacker could force a crash during a video call.
What to check
- Update any bundled WebRTC libraries (e.g., Google’s
webrtc‑objcorflutter‑webrtc) to versions compiled against the Safari 26.5 SDK. - Add defensive checks around
onicecandidateerrorandonconnectionstatechangeto gracefully recover from a sudden process termination.
Migration checklist
| Step | Action | Tool / Link |
|---|---|---|
| 1 | Confirm OS version | System Settings → About or Settings → General → About on iOS/iPadOS |
| 2 | Verify Safari version | Safari → About Safari (should show 26.5) |
| 3 | Run the Apple security advisory script | Apple security script |
| 4 | Test CSP enforcement | Chrome’s CSP Evaluator (works in Safari via extension) |
| 5 | Run automated UI tests on Safari 26.5 | Xcode 15+ UI Test target, XCUIApplication().launch() |
| 6 | Update WebView SDKs | Use the latest WebKit.framework from Xcode 15.4 or later |
| 7 | Re‑sign native apps with the new SDK | xcodebuild -exportArchive with the updated DEVELOPMENT_TEAM |
| 8 | Monitor crash logs | Console.app → Crash Reports → filter Safari |
If any of the steps reveal a mismatch, push the appropriate OS or Safari update through your MDM solution (e.g., Jamf, Microsoft Intune) before the next release cycle.
Why updating matters for cross‑platform teams
React Native, Flutter and Capacitor developers embed the system WebView on iOS. Those wrappers inherit the same WebKit binaries that Safari uses, meaning the same vulnerabilities affect hybrid apps. Updating the underlying OS (or forcing a WebView reload) is the only reliable mitigation; code‑level patches cannot replace the kernel‑level memory‑handling fixes Apple introduced.
For teams that ship a Progressive Web App (PWA), the Safari update also refreshes the Service Worker engine. A crash in the Service Worker thread could silently drop background sync events, causing data loss for offline‑first apps. After the update, run your PWA through the Lighthouse audit in Safari’s DevTools to confirm that background sync and push notifications still function.
Bottom line
Safari 26.5 closes a broad set of WebKit bugs that range from CSP bypasses to outright crashes. The fixes are bundled with the latest iOS, iPadOS and macOS releases, so the safest path for developers is to ensure every device in your test matrix runs the newest OS version. Verify CSP behavior, run memory‑sanitizer tests, and update any embedded WebRTC or WebView SDKs. Doing so protects both your users and the reputation of the apps you ship across iOS, iPadOS and macOS.
Further reading
- Apple’s official security update page
- Detailed Bugzilla entries (e.g., Bug 308906)
- Mozilla’s guide on CSP testing: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- Xcode 15 release notes for the updated WebKit SDK: https://developer.apple.com/documentation/xcode-release-notes/xcode-15-release-notes
Author: Marcus Mendes – senior mobile reporter at 9to5Mac
Comments
Please log in or register to join the discussion