About the security content of macOS Tahoe 26.5.2
This update delivers security fixes that were first made available in the macOS Tahoe 26.6 beta. This document describes the security content of macOS Tahoe 26.5.2.
About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
macOS Tahoe 26.5.2
Released June 29, 2026
IOGPUFamily
Available for: macOS Tahoe
Impact: An app may be able to cause unexpected system termination
Description: A race condition was addressed with improved state handling.
CVE-2026-43743: Lyutoon, Dun
Kernel
Available for: macOS Tahoe
Impact: An app may be able to cause unexpected system termination or write kernel memory
Description: The issue was addressed with improved input sanitization.
CVE-2026-43724: Hyunwoo Kim (@v4bel)
Kernel
Available for: macOS Tahoe
Impact: An app may be able to leak sensitive kernel state
Description: The issue was addressed with improved input sanitization.
CVE-2026-43722: Feng Xue and XGPT of ThreatBook, Hyunwoo Kim (@v4bel)
Kernel
Available for: macOS Tahoe
Impact: An app may be able to cause unexpected system termination or corrupt kernel memory
Description: This issue was addressed with improved input validation.
CVE-2026-39868: Vladislav Shevchenko (Positive Technologies), Ye Zhang (@VAR10CK) of Baidu Security, Billy Jheng Bing Jhong and Pan Zhenpeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.
libxslt
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A double free issue was addressed with improved memory management.
CVE-2026-43706: Tristan Madani (@TristanInSec) from Talence Security
libxslt
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
CVE-2026-43703: Tristan Madani (@TristanInSec) from Talence Security
Web Extensions
Available for: macOS Tahoe
Impact: A malicious web extension may be able to cause an unexpected process crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 314642
CVE-2026-43704: dr3dd
WebKit
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may disclose sensitive user information
Description: A cross-origin issue was addressed with improved tracking of security origins.
WebKit Bugzilla: 315368
CVE-2026-43700: Vitaly Simonovich, Christian Meurer Xavier
WebKit
Available for: macOS Tahoe
Impact: A malicious website may exfiltrate data cross-origin
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 313357
CVE-2026-43735: Merrick Hare, Drinor Selmanaj (Sentry), Khai Tran, John Lussier, Rhyru9, Kwak Kiyong, Song Nuri
WebKit
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 313693
CVE-2026-43734: Jonathan Alush-Aben
WebKit Bugzilla: 313857
CVE-2026-43726: Josef Korbel (Citadelo), Tristan Madani (@TristanInSec) from Talence Security, Gia Bui (@yabeow) from Calif.io, Narendra Singh (@_3P1C)
WebKit Bugzilla: 314398
CVE-2026-43709
WebKit Bugzilla: 317227
CVE-2026-43699: Tommy DeVoss from Braze Security Team (@thedawgyg)
WebKit Bugzilla: 315161
CVE-2026-43742: Юлия Мерцалова
WebKit
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may disclose sensitive user information
Description: A path handling issue was addressed with improved validation.
WebKit Bugzilla: 313085
CVE-2026-43732: Nan Wang (@eternalsakura13)
WebKit
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to memory corruption
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 314115
CVE-2026-43731: dr3dd
WebKit Bugzilla: 313577
CVE-2026-43715: Milad Nasr and Nicholas Carlini with Claude, Anthropic
WebKit
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 313691
CVE-2026-43727: Tommy DeVoss from Braze Security Team (@thedawgyg), Gia Bui (@yabeow) from Calif.io, Gurpreet Shergill
WebKit
Available for: macOS Tahoe
Impact: A malicious website may be able to process restricted web content outside the sandbox
Description: The issue was addressed with improved input validation.
WebKit Bugzilla: 312832
CVE-2026-43725: Luke Francis
WebKit
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 312781
CVE-2026-43663: Soyeon Park, Amy Burnett, Khai Tran, sherkito, Kota Toda, HexRabbit (@h3xr4bb1t) and NiNi (@terrynini38514) of DEVCORE Research Team, Using GLM From Z.AI, Tristan Madani (@TristanInSec) from Talence Security, Brian Carpenter
WebKit Bugzilla: 313528
CVE-2026-39872: Utkarsh Pal, Ignacio Sanmillan (@ulexec)
WebKit Bugzilla: 314235
CVE-2026-43712: Kwak Kiyong, Song Nuri, Tristan Madani (@TristanInSec) from Talence Security
WebKit
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 315047
CVE-2026-43716: Tuan and Duc from Calif.io, OpenAI Codex Security - Amy Burnett, Evan Lambert
WebKit
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: An out-of-bounds access issue was addressed with improved bounds checking.
WebKit Bugzilla: 317231
CVE-2026-43676: Mateusz Krzywicki (iVerify.io), dr3dd, Tommy DeVoss from Braze Security Team (@thedawgyg)
WebKit
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may result in the disclosure of process memory
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 308046
CVE-2026-43740: Nathaniel Oh (@calysteon), Arni Hardarson
WebKit
Available for: macOS Tahoe
Impact: Visiting a website may leak sensitive data
Description: A permissions issue was addressed with additional restrictions.
WebKit Bugzilla: 314806
CVE-2026-43713: Jody Ritonga
WebKit
Available for: macOS Tahoe
Impact: A malicious website may exfiltrate data cross-origin
Description: The issue was addressed with improved input validation.
WebKit Bugzilla: 315306
CVE-2026-43708: Behzad Najjarpour Jabbari (@_G4ru_)
WebKit
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: A memory corruption issue was addressed with improved memory handling.
WebKit Bugzilla: 315951
CVE-2026-43707: OpenAI Codex Security - Amy Burnett
WebKit
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to memory corruption
Description: A type confusion issue was addressed with improved checks.
WebKit Bugzilla: 314528
CVE-2026-43705: dr3dd
WebKit
Available for: macOS Tahoe
Impact: A malicious website may be able to process restricted web content outside the sandbox
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 315004
CVE-2026-43701: Aaron Grattafiori - NVIDIA AI Red Team
WebKit
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: An out-of-bounds write issue was addressed with improved input validation.
WebKit Bugzilla: 315365
CVE-2026-43745: OpenAI Codex Security - Amy Burnett, Khai Tran
WebKit Canvas
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 313175
CVE-2026-43720: Gia Bui (@yabeow) from Calif.io, Josef Korbel
WebKit Storage
Available for: macOS Tahoe
Impact: A malicious website may be able to silently hijack clipboard data
Description: This issue was addressed through improved state management.
WebKit Bugzilla: 313478
CVE-2026-43721: Idan Masas
WebRTC
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected process crash
Description: An out-of-bounds access issue was addressed with improved bounds checking.
WebKit Bugzilla: 317324
CVE-2026-28979
WebRTC
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: A stack overflow was addressed with improved input validation.
WebKit Bugzilla: 313350
CVE-2026-43718: Nan Wang (@eternalsakura13)
WebRTC
Available for: macOS Tahoe
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: A use-after-free issue was addressed with improved memory management.
WebKit Bugzilla: 313351
CVE-2026-43717: Nan Wang (@eternalsakura13)
WebKit Bugzilla: 314090
CVE-2026-43746: dr3dd
Additional recognition
libxslt
We would like to acknowledge Kubilay Berk Alkan for their assistance.
WebKit
We would like to acknowledge Henock Habte, Souta Sugiyama for their assistance.
WebKit JavaScript Bindings
We would like to acknowledge Karan Kurani for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.