Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
widely-deployed-product-advisoryendpoint-software-vulnerabilityinternet-facing-service-vulnerabilityprivacy-surveillance-policy

Apple Fixes Safari WebKit Flaws and Notification Retention Privacy Bug

Updated 2d agoFirst seen May 13, 20267 sources

Apple released Safari 26.5 for macOS Sonoma and macOS Sequoia to fix multiple vulnerabilities in WebKit and WebRTC that could be triggered by malicious web content. The flaws could allow Content Security Policy bypass, disclosure of sensitive user information, access to sensitive user data, misuse of another website’s download settings through a malicious iframe, and application or process crashes. Apple attributed the issues to validation, access control, UI handling, memory handling, and use-after-free weaknesses, and credited a broad set of external researchers and organizations for the findings.

Apple also shipped updates for older devices—iOS 16.7.16, iPadOS 16.7.16, iPadOS 17.7.11, and iOS/iPadOS 15.8.8—to address CVE-2026-28950 in Notification Services. The bug could cause notifications marked for deletion to remain on a device because of a logging issue, creating a privacy and data-handling risk; Apple said it resolved the problem through improved data redaction. Canada’s Cyber Centre urged users and administrators to review Apple’s advisories and apply the updates, including upgrading Safari systems to 26.5 or later.

Share:
Apple Fixes Safari WebKit Flaws and Notification Retention Privacy Bug
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

5 events from the most recent confirmed update back to the earliest known activity.

5 EVENTS
May 13, 20262mo ago

Canadian Centre for Cyber Security urges users to apply Safari 26.5 update

On 2026-05-13, the Canadian Centre for Cyber Security issued advisory AV26-466 highlighting Apple's Safari vulnerabilities and recommending that users and administrators update to Safari 26.5 or later. The notice referenced Apple's security information and emphasized prompt patching.

Apple publishes Safari 26.5 security advisory and update

On 2026-05-13, Apple published advisory APPLE-SA-05-13-2026-1 and released Safari 26.5 for macOS Sonoma and macOS Sequoia. The update addressed multiple WebKit and WebRTC vulnerabilities that could enable sensitive data disclosure, Content Security Policy bypass, misuse of download settings, and browser or process crashes.

May 11, 20262mo ago

Apple releases iOS 18.7.9 and iPadOS 18.7.9 security updates

On 2026-05-11, Apple published advisory APPLE-SA-05-11-2026-2 and released iOS 18.7.9 and iPadOS 18.7.9 for supported older devices. The update fixed numerous vulnerabilities across Kernel, WebKit, Wi‑Fi, mDNSResponder, IOKit, and other components, including flaws that could enable root privilege escalation, kernel-level code execution, sensitive data disclosure, denial of service, and security bypasses.

Full Disclosure: APPLE-SA-05-11-2026-2 iOS 18.7.9 and iPadOS 18.7.9

Apple releases fixes for retained deleted notifications across older iOS and iPadOS versions

On 2026-05-11, Apple released iOS 16.7.16, iPadOS 17.7.11, and iOS/iPadOS 15.8.8 to fix CVE-2026-28950, a Notification Services logging issue that could cause notifications marked for deletion to remain on devices. Apple said the issue was mitigated through improved data redaction and made the updates available via Software Update and iTunes.

Apr 22, 20262mo ago

Apple releases iOS 26.4.2 and iPadOS 26.4.2 with notification privacy fix

On 2026-04-22, Apple released iOS 26.4.2 and iPadOS 26.4.2 as bug-fix and security updates. Apple disclosed a fix for a privacy issue where notifications marked for deletion could be unexpectedly retained on the device, and also shipped iOS/iPadOS 18.7.8 with the same fix for older devices.

Apple releases iOS 26.4.2 for iPhone, here’s what’s new - 9to5Mac
LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

89 LINKEDOpen in app
Vulnerabilities
60 linked
Apple Notification Services retained deleted notificationsWebKit iframe download settings confusion in SafariWebKit Content Security Policy enforcement bypassSafari/WebKit crash on malicious web contentWebKit process crash on malicious web content in Apple Safari and Apple platformsWebKit process crash on malicious web contentUse-after-free in WebKit leading to Safari crashWebKit process crash on malicious web content in Apple platformsUse-After-Free RCE in Apple Safari WebCore Style ResolverWebKit process crash on malicious web content in Apple Safari and Apple platformsUse-after-free in WebKit leading to Safari crashWebKit Content Security Policy enforcement bypass in Apple Safari and Apple platformsWebKit process crash on malicious web content in Apple Safari and Apple platformsSensitive Information Disclosure in Apple WebKitHeap-based Buffer Overflow RCE in Apple Safari Regular Expression Duplicate Named GroupsWebKit process crash on malicious web content in Apple platformsSensitive user data access in WebKitOut-of-bounds write in Apple kernel components / process crash in WebRTCWebKit process crash on malicious web contentUse-after-free in WebKit leading to Safari crashWebKit use-after-free process crash in Apple Safari and Apple platformsUse-after-free in WebKit leading to process crashInstalled App Enumeration in Apple libxpcSensitive user data access in Apple Accounts authorization handlingDenial-of-service in Apple Calling FrameworkInformation disclosure in Apple GeoServicesCoreServices crafted file denial of service in Apple platformsKernel buffer overflow in Apple operating systemsDenial-of-service in Apple mDNSResponderApp Privacy Report Logging Bypass in Apple PrivacyIOHIDFamily memory corruption leading to app terminationOut-of-bounds write in Apple Quick Look file parsingRoot privilege escalation in Apple Kernel authorization handlingUse-after-free in Apple IOKitKernel memory layout disclosure in Apple IOHIDFamily loggingGatekeeper quarantine bypass via crafted disk image in Apple KernelInteger Overflow in Apple Kernel Leading to System TerminationSensitive kernel state leak in Apple Kernel loggingRemote image display in Apple Mail Drafts Lockdown ModeOut-of-bounds write in Apple mDNSResponderOut-of-bounds write in Apple Wi‑Fi allowing kernel code executionDenial-of-Service in Apple Calendar via Resource ExhaustionSensitive data access in Apple Shortcuts due to insufficient user consent promptingOut-of-bounds write in Apple KernelBuffer Overflow in APFS Causing System TerminationSandbox escape in Apple App IntentsOut-of-bounds read information disclosure in Apple Model I/O USD libraryUse-after-free in Apple mDNSResponderProcess termination in Apple Audio media file parsingScreen Capture Logic Flaw in Apple Status BarIP address tracking issue in Apple NetworkingImageIO crafted file bounds-check issue causing app terminationSensitive user data access race condition in Apple FileProviderType confusion denial-of-service in Apple LaunchServicesSensitive data leak via malicious website in Apple zlibBuffer Overflow in Apple SceneKitKernel memory disclosure in Apple KernelUse-after-free denial of service in Apple Wi‑Fi packet handlingApple Kernel race condition leading to unexpected system terminationOut-of-bounds write in Apple Model I/O/USD image parsing
Affected products
8 linked
SafariWebkitIpadosMacos SonomaMacos SequoiaIosItunesIcloud
Organizations
21 linked
AppleTrend MicroPalo Alto NetworksAnthropicAISLEiVerifyNosebeard LabsCalif.ioSTAR Labs SG Pte. LtdTotally Not Malicious Software9to5MacGoogleIruReverse SocietyCantinaVoynich GroupCalifXint CodeBeryllium SecurityTalence SecurityKakao Games
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.

Apple Fixes Safari WebKit Flaws and Notification Retention Privacy Bug | Mallory