ZDI 2026-05-12

ZDI-26-313: Apple Safari Regular Expression Duplicate Named Groups Heap-based Buffer Overflow Remote Code Execution Vulnerability

CVE-2026-28847

Machine-generated analysis · WAYSCloud LLM

The vulnerability involves a heap-based buffer overflow in Apple Safari due to improper handling of duplicate named groups in regular expressions.

Context

Apple Safari is affected by a remote code execution vulnerability. The issue arises from a heap-based buffer overflow triggered by duplicate named groups in regular expressions. User interaction is required, such as visiting a malicious page or opening a malicious file. The ZDI assigned a CVSS score of 8.8, indicating high severity according to their rating.

Operator considerations

Check: Determine if Apple Safari is deployed in environments where users can access untrusted web content.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2026-28847.

Read the full advisory on ZDI →