This document describes the security content of Safari 26.
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Released September 15, 2025
Available for: macOS Sonoma and macOS Sequoia
Impact: Visiting a malicious website may lead to address bar spoofing
Description: The issue was addressed by adding additional logic.
CVE-2025-43327: @RenwaX23
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to unexpected URL redirection
Description: This issue was addressed with improved URL validation.
CVE-2025-31254: Evan Waelde
Available for: macOS Sonoma and macOS Sequoia
Impact: A website may be able to access sensor information without user consent
Description: The issue was addressed with improved handling of caches.
WebKit Bugzilla: 296153
CVE-2025-43356: Jaydev Ahire
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 294550
CVE-2025-43272: Big Bear
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 296490
CVE-2025-43343: an anonymous researcher
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A correctness issue was addressed with improved checks.
WebKit Bugzilla: 296042
CVE-2025-43342: an anonymous researcher
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to memory corruption
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 293895
CVE-2025-43419: Ignacio Sanmillan (@ulexec)
Entry added November 3, 2025
Available for: macOS Sonoma and macOS Sequoia
Impact: A remote attacker may be able to view leaked DNS queries with Private Relay turned on
Description: A logic issue was addressed with improved state management.
WebKit Bugzilla: 295943
CVE-2025-43376: Mike Cardwell of grepular.com, Bob Lord
Entry added November 3, 2025
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 296276
CVE-2025-43368: Pawel Wylecial of REDTEAM.PL working with Trend Micro Zero Day Initiative
We would like to acknowledge Nathaniel Oh (@calysteon) for their assistance.
We would like to acknowledge Chi Yuan Chang of ZUSO ART and taikosoup, Dalibor Milanovic, HitmanAlharbi (@HitmanF15), Jake Derouin (jakederouin.com), Jaydev Ahire, Kenneth Chew for their assistance.
Entry updated November 3, 2025
We would like to acknowledge Matthew Liang, Stanley Lee Linton, Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
Entry updated November 3, 2025