{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20652", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-11-11T14:43:07.864Z", "datePublished": "2026-02-11T22:59:04.639Z", "dateUpdated": "2026-04-02T18:26:31.460Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "A remote attacker may be able to cause a denial-of-service"}]}], "affected": [{"vendor": "Apple", "product": "Safari", "versions": [{"version": "0", "status": "affected", "lessThan": "26.3", "versionType": "custom"}]}, {"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"version": "0", "status": "affected", "lessThan": "18.7.5", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "26.3", "versionType": "custom"}]}, {"vendor": "Apple", "product": "macOS", "versions": [{"version": "0", "status": "affected", "lessThan": "26.3", "versionType": "custom"}]}, {"vendor": "Apple", "product": "visionOS", "versions": [{"version": "0", "status": "affected", "lessThan": "26.3", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A remote attacker may be able to cause a denial-of-service."}], "references": [{"url": "https://support.apple.com/en-us/126346"}, {"url": "https://support.apple.com/en-us/126347"}, {"url": "https://support.apple.com/en-us/126348"}, {"url": "https://support.apple.com/en-us/126353"}, {"url": "https://support.apple.com/en-us/126354"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:26:31.460Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T19:30:51.349079Z", "id": "CVE-2026-20652", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T19:31:21.723Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"affected": [{"vendor": "Apple", "product": "Safari", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "26.3", "versionType": "custom"}]}, {"vendor": "Apple", "product": "macOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "26.3", "versionType": "custom"}]}, {"vendor": "Apple", "product": "visionOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "26.3", "versionType": "custom"}]}, {"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "26.3", "versionType": "custom"}]}, {"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "18.7", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/126354"}, {"url": "https://support.apple.com/en-us/126348"}, {"url": "https://support.apple.com/en-us/126353"}, {"url": "https://support.apple.com/en-us/126346"}, {"url": "https://support.apple.com/en-us/126347"}], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved memory handling. This issue is fixed in macOS Tahoe 26.3, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3, Safari 26.3. A remote attacker may be able to cause a denial-of-service."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "A remote attacker may be able to cause a denial-of-service"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-02-11T22:59:04.639Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20652", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T19:30:51.349079Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-02-12T19:30:08.837Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-20652", "state": "PUBLISHED", "dateUpdated": "2026-02-11T22:59:04.639Z", "dateReserved": "2025-11-11T14:43:07.864Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2026-02-11T22:59:04.639Z", "assignerShortName": "apple"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "matchCriteriaId": "13054182-3C0A-47D3-AABE-2B248BA17814", "versionEndExcluding": "26.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "matchCriteriaId": "5DF4C0EE-C67C-4BA1-BB50-C51DEC72E486", "versionEndExcluding": "18.7.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "matchCriteriaId": "00E2601B-7453-4C8B-A307-EF7BC5BF2E84", "versionEndExcluding": "26.3", "versionStartIncluding": "26.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "273784FD-F8F0-466D-AF6E-5511FF3781B7", "versionEndExcluding": "18.7.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "951073F9-924E-4D9C-8DA1-64E284326CC5", "versionEndExcluding": "26.3", "versionStartIncluding": "26.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1EEEE88-5ADA-4C55-9C7C-397E904408DD", "versionEndExcluding": "26.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*", "matchCriteriaId": "388EDB3F-A14E-4922-B88A-F1CB6DE50A2A", "versionEndExcluding": "26.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A remote attacker may be able to cause a denial-of-service."}, {"lang": "es", "value": "El problema se abord\u00f3 con un manejo de memoria mejorado. Este problema est\u00e1 solucionado en macOS Tahoe 26.3, iOS 18.7.5 y iPadOS 18.7.5, visionOS 26.3, iOS 26.3 y iPadOS 26.3, Safari 26.3. Un atacante remoto podr\u00eda causar una denegaci\u00f3n de servicio."}], "id": "CVE-2026-20652", "lastModified": "2026-04-02T19:21:17.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-11T23:16:08.033", "references": [{"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/126346"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/126347"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/126348"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/126353"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/126354"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "webkitgtk: A remote attacker may be able to cause a denial-of-service", "id": "2448793", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448793"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-120", "details": ["The issue was addressed with improved memory handling. This issue is fixed in macOS Tahoe 26.3, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3, Safari 26.3. A remote attacker may be able to cause a denial-of-service.", "A flaw was found in WebKitGTK. A remote attacker may be able to cause a denial-of-service due to improper memory handling."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2026-20652", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "webkitgtk", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "webkitgtk3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "webkitgtk4", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "webkit2gtk3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "webkit2gtk3", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-20652\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-20652\nhttps://webkitgtk.org/security/WSA-2026-0001.html"], "statement": "This issue allows a remote attacker to cause a denial-of-service. Due to this reason, this flaw has been rated with an important severity.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.3)"}}], "product": "ios_and_ipados", "vendor": "apple"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,18.7)"}}], "product": "ios_and_ipados", "vendor": "apple"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.3)"}}], "product": "macos", "vendor": "apple"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.3)"}}], "product": "safari", "vendor": "apple"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.3)"}}], "product": "visionos", "vendor": "apple"}], "analysis": {"en": {"generated_at": "2026-04-15T20:46:44.137075+00:00", "value": {"mitigation_remediation": ["Apply the latest Apple security updates that patch Safari 26.3, iOS 18.7.5/26.3, iPadOS 18.7.5/26.3, macOS 26.3, and visionOS 26.3 to eliminate the memory handling flaw.", "If devices cannot be updated immediately, restrict access to untrusted web content that might trigger the flaw by enabling strict Content Security Policy or disabling WebKit\u2011based content rendering where possible.", "Continuously monitor browser stability logs for unexpected crashes or high memory usage, and apply the patch as soon as it becomes available."], "summary": {"action": "Patch Immediately", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected Apple products include Safari, iOS, iPadOS, macOS, and visionOS. Specifically Safari 26.3, iOS 18.7.5 and 26.3, iPadOS 18.7.5 and 26.3, macOS Tahoe 26.3, and visionOS 26.3 are susceptible.", "description_and_impact": "The vulnerability is a memory handling flaw that can trigger a local crash when a crafted WebKit page is loaded. The flaw is a buffer overflow and a resource exhaustion weakness, meaning a remote attacker can cause the browser to crash or consume excessive resources. As a result, a remote user can cause a denial\u2011of\u2011service on the affected device, impacting availability significantly.", "risk_and_exploitability": "The CVSS base score of 7.5 indicates a high impact, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely client\u2011side, requiring an attacker to lure a user into visiting malicious WebKit content. If exploited, the browser or related system component will crash or become unresponsive, leading to service interruption. Given the high severity and potential for service disruption, organizations should prioritize applying the available updates."}}}}, "created": "2026-02-12T09:02:10.332682+00:00", "updated": "2026-04-15T21:00:09.930165+00:00", "vendors": ["apple", "apple$PRODUCT$ios_and_ipados", "apple$PRODUCT$macos", "apple$PRODUCT$safari", "apple$PRODUCT$visionos"]}