About the security content of Safari 26
This document describes the security content of Safari 26.
About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Safari 26
Released September 15, 2025
Safari
Available for: macOS Sonoma and macOS Sequoia
Impact: Visiting a malicious website may lead to address bar spoofing
Description: The issue was addressed by adding additional logic.
CVE-2025-43327: @RenwaX23
Safari
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to unexpected URL redirection
Description: This issue was addressed with improved URL validation.
CVE-2025-31254: Evan Waelde
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: A website may be able to access sensor information without user consent
Description: The issue was addressed with improved handling of caches.
WebKit Bugzilla: 296153
CVE-2025-43356: Jaydev Ahire
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 294550
CVE-2025-43272: Big Bear
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 296490
CVE-2025-43343: an anonymous researcher
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A correctness issue was addressed with improved checks.
WebKit Bugzilla: 296042
CVE-2025-43342: an anonymous researcher
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to memory corruption
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 293895
CVE-2025-43419: Ignacio Sanmillan (@ulexec)
Entry added November 3, 2025
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: A remote attacker may be able to view leaked DNS queries with Private Relay turned on
Description: A logic issue was addressed with improved state management.
WebKit Bugzilla: 295943
CVE-2025-43376: Mike Cardwell of grepular.com, Bob Lord
Entry added November 3, 2025
WebKit Process Model
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 296276
CVE-2025-43368: Pawel Wylecial of REDTEAM.PL working with Trend Micro Zero Day Initiative
Additional recognition
libxml2
We would like to acknowledge Nathaniel Oh (@calysteon) for their assistance.
Safari
We would like to acknowledge Chi Yuan Chang of ZUSO ART and taikosoup, Dalibor Milanovic, HitmanAlharbi (@HitmanF15), Jake Derouin (jakederouin.com), Jaydev Ahire, Kenneth Chew for their assistance.
Entry updated November 3, 2025
WebKit
We would like to acknowledge Matthew Liang, Stanley Lee Linton, Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
Entry updated November 3, 2025
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.