Back to all posts
Published on · by Renaud Deraison

macOS 26.5 patches ten WebKit bugs — here is what each one would have done to a Bromure user

Apple shipped macOS Tahoe 26.5 on May 11, 2026, with roughly seventy security fixes including ten WebKit vulnerabilities. We walk through the WebKit list one CVE class at a time and ask the only question that matters in 2026 — what does this bug actually reach, on a machine running Bromure?

A patch note is not a threat model. "Processing maliciously crafted web content may lead to an unexpected Safari crash" is the polite way the vendor says that for some users this bug was the last thing the browser did before something else ran. The useful question is what that something else gets to touch.

On May 11, 2026, Apple published About the security content of macOS Tahoe 26.5. The release closes roughly seventy CVEs across the operating system, of which ten sit inside WebKit — Safari's rendering engine, also the engine behind every other "web view" on macOS, from Mail's HTML renderer to the embedded browser inside the App Store. None of the ten are listed by Apple as exploited in the wild. That is not the same as saying they were not exploited, only that Apple has no evidence pointing that way today. The rest of this post takes the advisory at face value and asks a narrower, more useful question: for each of these bugs, what would it have done to a Bromure user?

The short answer is in the title. The longer answer is what makes the architecture worth writing about.

The advisory, in plain words

Reading an Apple security note is partly a vocabulary exercise. The canonical phrasing — "processing maliciously crafted web content may lead to" — covers a spectrum that runs from "a tab will close" all the way to "the box is gone." What separates them is the bug class, and the advisory says that part too, just quietly.

macOS Tahoe 26.5 — WebKit CVEs by classsource: support.apple.com/en-us/127115, 2026-05-11USE-AFTER-FREE5 CVEsCVE-2026-28883CVE-2026-28942CVE-2026-28946CVE-2026-28947CVE-2026-28953*Apple's stated impactunexpected Safari crashor process crashRealistic ceilingarbitrary code executioninside the renderer,given a working primitiveOTHER MEMORY3 CVEs (UAF cluster + 2)CVE-2026-28901CVE-2026-28902CVE-2026-28903CVE-2026-28904CVE-2026-28905CVE-2026-28913CVE-2026-28955CVE-2026-43658CVE-2026-28917Apple's stated impactprocess crash frommemory corruptionor bad inputLOGIC / POLICY5 CVEsCVE-2026-43660 — CSP bypassCVE-2026-28907 — CSP bypassCVE-2026-28962 — info disclosureCVE-2026-28958 — sensitive dataCVE-2026-28971 — iframe download UIApple's stated impactpolicy not enforced,sensitive data exposed,cross-origin confusionWhy these matterthey are the rungsa memory bug climbs*CVE-2026-28953 is one of a UAF cluster Apple groups together; the exact subtype is not separately enumerated.
The ten WebKit CVEs in macOS Tahoe 26.5, grouped by bug class. Each class has a different ceiling on what an exploit chain built on top of it can reach. The bottom two classes — memory corruption with arbitrary code execution potential, and use-after-free — are the ones that, in the historical record, have most often been chained into renderer compromises and on into the host.

Apple does not, as a matter of policy, publish exploitability analyses. The wording is deliberate: a "process crash" can mean the renderer hits an assert and dies harmlessly, or it can mean the renderer enters a state where, with a few weeks of work and a heap groom, an attacker turns the crash into a write primitive and then into code execution. Researchers in the field have repeatedly demonstrated that the second outcome is achievable for a large share of WebKit use-after-frees disclosed in this exact phrasing — CVE-2025-43529, patched in macOS 26.2 last December, was described in identical language and was being exploited in targeted attacks at the time of disclosure. So the right way to read this advisory is as a list of candidates for the next round of in-the-wild exploitation, not as a list of bugs we know to be harmless.

Class one — the five use-after-frees

A use-after-free, in one sentence, is a bug where the browser releases a chunk of memory holding some object — a DOM node, an event listener, a JavaScript wrapper — and then keeps using the old reference as if the object were still alive. By the time the old reference is dereferenced, the slot has been refilled by something else: another object the page just created, or a buffer the page just filled with bytes that look like a function pointer. The page now controls a pointer the browser is treating as trusted.

CVE-2026-28883, CVE-2026-28942, CVE-2026-28946, CVE-2026-28947, and the UAF subset of the CVE-2026-28901 — CVE-2026-28913 cluster are the five WebKit use-after-frees in this release. Apple credits them to a mix of independent researchers and, in one case (CVE-2026-28942), to Milad Nasr and Nicholas Carlini working with Claude — the same broader category of AI-assisted vulnerability research that Mozilla described in April when it credited an early Mythos run with 271 fixes in a single Firefox release.

On a Mac running stock macOS 26.5 before applying this update, the worst-case version of one of these bugs looks like this:

  1. You visit a page. The page runs JavaScript that exercises some DOM operation in a way that triggers the use-after-free.
  2. The renderer's memory is groomed so that the freed slot is refilled with something the attacker controls.
  3. Code execution lands inside the Safari content process — the same address space as your browsing session, your cookies, your logged-in tabs.
  4. A second-stage exploit, chained onto the first, escapes the content sandbox into the broader Safari process. WebKit's sandbox is solid but not unbreakable; the last several years include several documented breakouts.
  5. Once outside the sandbox, the attacker is running as your user account, on your machine. They have read access to ~/Documents, ~/Library/Keychains, ~/.ssh, the cookies in Safari's stored profile, the contents of iCloud Drive that have been pulled down for offline use, and whatever else lives under your home directory.

That is the full traditional-browser chain. None of the steps are hypothetical; every one of them has been observed in a real in-the-wild WebKit chain in the last three years.

Same bug in stock SafariYOUR MAC · YOUR USER ACCOUNTSafari content processuse-after-free firesCode execution in renderercookies, profile, open tabs reachableSandbox escape (second stage)running as your user accountFiles~/DocumentsKeychain~/LibrarySSH keys~/.sshiCloud Drivecached filesPersistence installs in LaunchAgents.The Mac is compromised.Same bug in BromureYOUR MAC · YOUR USER ACCOUNTDISPOSABLE PER-TAB VMChromium content process(but this is a WebKit bug — see below)Code execution in rendererinside the ephemeral guest onlyCONTAINED — TAB CLOSES, VM DIESFilesuntouchedKeychainuntouchedSSH keysuntouchediCloud DriveuntouchedPersistence has nowhere to land.The host Mac is unchanged.
A WebKit use-after-free in stock Safari versus the same bug detonating inside a Bromure tab. The bug fires either way. The difference is what is on the other side of the renderer when it does.

There is one detail in the right-hand diagram worth being upfront about: Bromure does not use WebKit. Each tab runs Chromium inside its disposable Linux guest VM. So the literal text of these CVEs — five WebKit use-after-frees — does not apply to the rendering engine Bromure ships. A user on Bromure who has never applied macOS 26.5 is not exposed to these specific WebKit bugs through the Bromure tab they have open.

That is not, on its own, an interesting claim. Chrome has its own catalog of memory bugs. Firefox has its own. The point is the second-order one: even if you mentally substitute these CVEs with the equivalent class of Chromium V8 or Blink use-after-frees — CVE-2024-7971, the V8 type confusion that North-Korean-aligned actors used in 2024, is the obvious analogue — the picture on the right does not change. The exploit fires inside the renderer. The renderer is inside the guest VM. Code execution lands in a Linux box that does not contain your keychain, your Documents folder, or your SSH keys. When the tab closes, the VM is destroyed.

Class two — three more memory bugs and an input-validation bug

CVE-2026-43658 is the only WebKit bug in this advisory that Apple explicitly labels "memory handling" rather than use-after-free; the stated impact is an unexpected Safari crash. CVE-2026-28917 is labeled as input validation, also producing a process crash. Both sit in the same general bucket as the use-after-frees — they are crashes in WebKit's address space caused by a hostile page — and both have the same realistic ceiling: with enough work, a "crash" can in some cases be promoted into a code-execution primitive, and in others remains genuinely just a crash. Apple does not tell us which, and the patches do not, on quick reading, decide the question either.

The point worth emphasizing is that for the user, the distinction does not change the architectural answer. On stock Safari, even a benign-looking crash bug in WebKit is, at worst, a foothold. On Bromure, even a worst-case version of one of these bugs — full code execution inside the renderer — is a code execution event inside a guest that gets thrown away.

Class three — the five logic and policy bugs

Five of the ten WebKit bugs in this advisory are not memory bugs at all. They are logic bugs — small inconsistencies between what Safari's security policy says is allowed and what its code actually enforces.

CVE-2026-43660 and CVE-2026-28907 — CSP bypass

Content Security Policy is the mechanism a website uses to tell the browser "only run JavaScript from these origins, only load images from these others." Both of these bugs allow a maliciously crafted page to make Safari skip enforcement of that policy in some path through the parser. Real consequence: a stored XSS on a site that thought CSP was protecting it now executes.

CVE-2026-28962 and CVE-2026-28958 — information disclosure

Both let a hostile page read data it should not have access to. The first is in WebKit's access-control logic; the second is in its data-protection paths. Used in a chain, these are the bugs that turn "I have code execution in your renderer" into "I have your session cookie for another site you were logged into."

CVE-2026-28971 — iframe download spoofing

A malicious iframe can use a parent page's download settings. On the surface this is a UI bug; in practice it is the way a drive-by download gets to ride on top of a site the user has explicitly trusted to save files. A textbook initial-access primitive for malware.

What the logic bugs are for

On their own, none of these grant code execution. Their value is structural: each one is a rung the memory bugs above use to climb. A bare use-after-free is hard to weaponize without a way to leak a pointer, a way to bypass CSP, a way to read cross-origin state. Logic bugs in the same release are the quiet half of every public exploit chain.

The same argument applies on the Bromure side, with one clarification worth making. The download-spoofing bug (CVE-2026-28971) is interesting because it is the one bug in this list that, on stock Safari, can produce a file on disk that the user might later open. Bromure's downloads from inside a tab land inside that tab's guest VM by default; promoting them out of the guest is an explicit user action. A drive-by file that the page manages to "download" is, on Bromure, a file in a Linux guest that is about to stop existing. The cross-origin information disclosures (CVE-2026-28962, CVE-2026-28958) read data the renderer can see, which on Bromure is the data that lives inside that one tab's VM.

What stays in the room: the things the VM does and does not isolate

It would be too easy to walk away from the above with the wrong takeaway. Bromure's architecture is good at narrowing the blast radius of a renderer compromise. It is not magic. Several things are still in the room and worth being explicit about.

The session itself is compromised

A working exploit on one of these bugs still owns the tab it fires in. Passwords typed into that tab during the exploit window are in scope. Cookies stored in the profile that tab is using are in scope. Form data is in scope. Per-profile separation in Bromure ensures the damage is bounded by that profile, not the user's whole digital life, but it is not zero.

The clipboard is the obvious bridge

Bromure's default posture leaves the clipboard available to the guest, because for most users the cost of breaking copy-paste every day outweighs the rare exploit scenario. That posture is a deliberate choice and one we can sever on demand for sessions you want hermetic. It is worth knowing the bridge exists.

A hypervisor escape is still in play

A sufficiently determined chain could, in principle, escape the Apple Silicon hypervisor itself. The attack surface there is several orders of magnitude smaller than a browser's, and the public record of such bugs is short, but it is not zero. We do not claim immunity; we claim to have moved the bug class your safety depends on.

No extensions, no browser-helper layer

Bromure does not allow Chrome extensions to be installed at all. That is a stance, not a setting. It removes an entire second attack surface — every extension is its own quasi-trusted code path with permissions that ride alongside the renderer — that has historically been the way a lot of real-world browser compromises actually get persistence.

Why the Mac and the browser want to be separate machines

There is a more general way to say all of the above. A modern Mac contains, side by side in the same trust domain:

  • The OS, with your files and your keychain.
  • Native apps you have installed, with whatever entitlements they asked for.
  • The browser, which is by a large margin the single largest piece of attacker-controllable parsing machinery on the system.

When a WebKit bug fires on a stock macOS, the part of the system that was just compromised is the part of the system that has read access to the other two. That is not a Safari mistake; it is the straightforward consequence of running a browser as a user-space application alongside everything else the user does.

Bromure's design treats the browser and the rest of the Mac as different machines. The browser actually runs on a different machine — a Linux guest, on a virtual CPU, with virtual disk that is reset on every session. The host Mac sees the guest only through a narrow set of hypervisor calls: framebuffer, input, network, clipboard when allowed. A WebKit-class bug — or its Chromium equivalent — that lands inside the guest is, from the host's point of view, code running on a different computer, in a different operating system, with no path to the user's files. The fact that the two "computers" share a chassis is an implementation detail.

What to do today

If you are reading this on the Mac you use for everything else, the most important thing is the boring thing: apply the macOS 26.5 update. The window between Apple shipping a patch and somebody turning the patch into a working exploit is now, by the industry's own measurements, measured in hours rather than weeks. Stock Safari users with this update applied are protected against the ten WebKit bugs above. Stock Safari users without it are not.

If you are reading this on Bromure, you are protected against WebKit-class renderer bugs by architecture rather than by patch adoption, because the renderer is not WebKit, is not running on the host, and is in a guest that gets destroyed on tab close. You should still apply the macOS 26.5 update, because the other sixty or so CVEs in that release patch parts of macOS that Bromure does not isolate — kernel components, system services, native frameworks — and those still matter.

The framing we would like more people to use is this. WebKit zero days are not going to stop. Chromium zero days are not going to stop. What can stop, for any given user, is the link between "a page was wrong" and "your computer was wrong." That link is the one Bromure was built to break, one ten-CVE advisory at a time.

Install Bromure. Keep applying your macOS updates. And the next time Apple ships a Safari update that says "processing maliciously crafted web content may lead to" — and that will be soon, because the cadence is monthly now — read the line, file it, and notice that for the part of your day spent inside Bromure, the sentence does not finish.