Apple Fixes Safari WebKit Flaws and Notification Retention Privacy Bug
Apple released Safari 26.5 for macOS Sonoma and macOS Sequoia to fix multiple vulnerabilities in WebKit and WebRTC that could be triggered by malicious web content. The flaws could allow Content Security Policy bypass, disclosure of sensitive user information, access to sensitive user data, misuse of another website’s download settings through a malicious iframe, and application or process crashes. Apple attributed the issues to validation, access control, UI handling, memory handling, and use-after-free weaknesses, and credited a broad set of external researchers and organizations for the findings.
Apple also shipped updates for older devices—iOS 16.7.16, iPadOS 16.7.16, iPadOS 17.7.11, and iOS/iPadOS 15.8.8—to address CVE-2026-28950 in Notification Services. The bug could cause notifications marked for deletion to remain on a device because of a logging issue, creating a privacy and data-handling risk; Apple said it resolved the problem through improved data redaction. Canada’s Cyber Centre urged users and administrators to review Apple’s advisories and apply the updates, including upgrading Safari systems to 26.5 or later.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security urges users to apply Safari 26.5 update
On 2026-05-13, the Canadian Centre for Cyber Security issued advisory AV26-466 highlighting Apple's Safari vulnerabilities and recommending that users and administrators update to Safari 26.5 or later. The notice referenced Apple's security information and emphasized prompt patching.
Apple publishes Safari 26.5 security advisory and update
On 2026-05-13, Apple published advisory APPLE-SA-05-13-2026-1 and released Safari 26.5 for macOS Sonoma and macOS Sequoia. The update addressed multiple WebKit and WebRTC vulnerabilities that could enable sensitive data disclosure, Content Security Policy bypass, misuse of download settings, and browser or process crashes.
Apple releases iOS 18.7.9 and iPadOS 18.7.9 security updates
On 2026-05-11, Apple published advisory APPLE-SA-05-11-2026-2 and released iOS 18.7.9 and iPadOS 18.7.9 for supported older devices. The update fixed numerous vulnerabilities across Kernel, WebKit, Wi‑Fi, mDNSResponder, IOKit, and other components, including flaws that could enable root privilege escalation, kernel-level code execution, sensitive data disclosure, denial of service, and security bypasses.
Apple releases fixes for retained deleted notifications across older iOS and iPadOS versions
On 2026-05-11, Apple released iOS 16.7.16, iPadOS 17.7.11, and iOS/iPadOS 15.8.8 to fix CVE-2026-28950, a Notification Services logging issue that could cause notifications marked for deletion to remain on devices. Apple said the issue was mitigated through improved data redaction and made the updates available via Software Update and iTunes.
Apple releases iOS 26.4.2 and iPadOS 26.4.2 with notification privacy fix
On 2026-04-22, Apple released iOS 26.4.2 and iPadOS 26.4.2 as bug-fix and security updates. Apple disclosed a fix for a privacy issue where notifications marked for deletion could be unexpectedly retained on the device, and also shipped iOS/iPadOS 18.7.8 with the same fix for older devices.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Apple security advisory (AV26-466) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceFull Disclosure: APPLE-SA-05-13-2026-1 Safari 26.5
seclists.org
Open sourceFull Disclosure: APPLE-SA-05-11-2026-5 iOS 15.8.8 and iPadOS 15.8.8
seclists.org
Open sourceFull Disclosure: APPLE-SA-05-11-2026-3 iPadOS 17.7.11
seclists.org
Open sourceFull Disclosure: APPLE-SA-05-11-2026-2 iOS 18.7.9 and iPadOS 18.7.9
seclists.org
Open sourceFull Disclosure: APPLE-SA-05-11-2026-4 iOS 16.7.16 and iPadOS 16.7.16
seclists.org
Open sourceApple releases iOS 26.4.2 for iPhone, here’s what’s new - 9to5Mac
9to5mac.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


