About the security content of Safari 26
This document describes the security content of Safari 26.
About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
Safari 26
Released September 15, 2025
Safari
Available for: macOS Sonoma and macOS Sequoia
Impact: Visiting a malicious website may lead to address bar spoofing
Description: The issue was addressed by adding additional logic.
CVE-2025-43327: @RenwaX23
Safari
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to unexpected URL redirection
Description: This issue was addressed with improved URL validation.
CVE-2025-31254: Evan Waelde
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: A website may be able to access sensor information without user consent
Description: The issue was addressed with improved handling of caches.
WebKit Bugzilla: 296153
CVE-2025-43356: Jaydev Ahire
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 294550
CVE-2025-43272: Big Bear
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 296490
CVE-2025-43343: an anonymous researcher
WebKit
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A correctness issue was addressed with improved checks.
WebKit Bugzilla: 296042
CVE-2025-43342: an anonymous researcher
WebKit Process Model
Available for: macOS Sonoma and macOS Sequoia
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 296276
CVE-2025-43368: Pawel Wylecial of REDTEAM.PL working with Trend Micro Zero Day Initiative
Additional recognition
libxml2
We would like to acknowledge Nathaniel Oh (@calysteon) for their assistance.
Safari
We would like to acknowledge HitmanAlharbi (@HitmanF15), Jaydev Ahire, Kenneth Chew for their assistance.
WebKit
We would like to acknowledge Bob Lord, Matthew Liang, Mike Cardwell of grepular.com, Stanley Lee Linton, Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.