{"vulnerability": "cve-2026-43746", "sightings": [{"uuid": "527dde77-6bda-4535-aa54-fe50ce37ba21", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43746", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mphkfgu6mp2k", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-43746: \u0443\u0433\u0440\u043e\u0437\u0430 use-after-free \u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u044b \u0437\u0430\u0449\u0438\u0442\u044b\n\n\n\nhttps://kripta.biz/posts/74036A29-5102-421D-9CC6-92E24CCB0B20", "creation_timestamp": "2026-06-29T22:36:28.480532Z"}, {"uuid": "f71a6d46-d684-4e32-bc95-b168693e4e12", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43746", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116835979854649291", "content": "The severity is increased for this new vulnerability affecting Apple Safari and other products (CVE-2026-43746) https://vuldb.com/vuln/374759", "creation_timestamp": "2026-06-29T23:26:12.974707Z"}, {"uuid": "c22c2022-668d-4c8c-a455-c50564a5779e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43746", "type": "seen", "source": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0818", "content": "", "creation_timestamp": "2026-07-01T02:50:40.896862Z"}, {"uuid": "720de919-4fde-46b2-a6e8-b40388a9c9e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43746", "type": "seen", "source": "https://www.thezdi.com/blog/2026/6/30/the-june-2026-apple-security-update-review", "content": "We\u2019re back with our look at the Apple macOS and iOS security updates. As this is a new feature for us, please let us know your feedback on the blog. \nFor Jun 2026, Apple released 37 unique CVEs across iOS 26.5.2 / iPadOS 26.5.2, macOS Tahoe 26.5.2, Safari 26.5.2. Since Apple doesn\u2019t provide CVSS scores or other severity information, we\u2019re left to speculate on which of these bugs is the most severe. The overwhelming majority (31 of 37) are WebKit/WebRTC bugs reachable through malicious web content. Most of those are crash/DoS bugs rather than code execution, so the real risk lives in the small set of kernel bugs and the handful of WebKit sandbox escapes. However, there are a couple that stand out.\n-&nbsp;&nbsp;&nbsp;&nbsp;CVE-2026-43724 (Kernel) \u2013 According to Apple, \u201cAn app may be able to cause unexpected system termination or write kernel memory.\u201d A kernel memory write is the highest-value primitive here: it's the privilege-escalation half of a full exploit chain and leads to complete device control. The bug was credited to Hyunwoo Kim (@v4bel), who is known to be a serious kernel researcher. \n-&nbsp;&nbsp;&nbsp;&nbsp;CVE-2026-39868 (Kernel) \u2013 Another kernel bug, this one could \u201ccause unexpected system termination or corrupt kernel memory.\u201d This is kernel memory corruption, and notably credited to a roster of elite offensive researchers (STAR Labs, Positive Technologies, Baidu Security). This kind of attribution usually signals a weaponizable, possibly Pwn2Own-grade bug rather than a theoretical crash.\n-&nbsp;&nbsp;&nbsp;&nbsp;CVE-2026-43725 / CVE-2026-43701 (WebKit) \u2013 Apple states these bugs could allow a website to process restricted web content outside the sandbox. I'm flagging this sandbox-escape pair over the many WebKit crash bugs because a sandbox escape is the bridge that turns a web-content bug into a path toward the kernel issues above. It's the most dangerous remotely-triggered class in the release.\nHere\u2019s a look at all the bugs released by Apple this month:\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n  \n  \n\n\n\n\n  \n\n\n  \n    \n\n\n\n\nApple Security Update &ndash; June 29, 2026\n\n\n\n  \n    \n      37Total CVEs\n      22Denial of Service\n      7Information Disclosure\n      3Memory Corruption\n      2Elevation of Privilege\n      2Sandbox Escape\n      1Spoofing\n    \n\n    \n\n      Apple security release &mdash; June 29, 2026. \"Yes/No\" indicates whether each update is affected. CVE IDs link to NVD.\n      \n        \n          CVE ID\n          Component\n          Impact\n          iOS 26.5.2 / iPadOS 26.5.2\n          macOS Tahoe 26.5.2\n          Safari 26.5.2\n        \n      \n      \n      \n        CVE-2026-43743\n        IOGPUFamily\n        An app may be able to cause unexpected system termination\n        Yes\n        Yes\n        No\n      \n      \n        CVE-2026-39868\n        Kernel\n        An app may be able to cause unexpected system termination or corrupt kernel memory\n        Yes\n        Yes\n        No\n      \n      \n        CVE-2026-43722\n        Kernel\n        An app may be able to leak sensitive kernel state\n        Yes\n        Yes\n        No\n      \n      \n        CVE-2026-43724\n        Kernel\n        An app may be able to cause unexpected system termination or write kernel memory\n        Yes\n        Yes\n        No\n      \n      \n        CVE-2026-43703\n        libxslt\n        Processing maliciously crafted web content may lead to an unexpected process crash\n        Yes\n        Yes\n        No\n      \n      \n        CVE-2026-43706\n        libxslt\n        Processing maliciously crafted web content may lead to an unexpected process crash\n        Yes\n        Yes\n        No\n      \n      \n        CVE-2026-43704\n        Web Extensions\n        A malicious web extension may be able to cause an unexpected process crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-39872\n        WebKit\n        Processing maliciously crafted web content may lead to an unexpected process crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43663\n        WebKit\n        Processing maliciously crafted web content may lead to an unexpected process crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43676\n        WebKit\n        Processing maliciously crafted web content may lead to an unexpected Safari crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43699\n        WebKit\n        Processing maliciously crafted web content may lead to an unexpected process crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43700\n        WebKit\n        Processing maliciously crafted web content may disclose sensitive user information\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43701\n        WebKit\n        A malicious website may be able to process restricted web content outside the sandbox\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43705\n        WebKit\n        Processing maliciously crafted web content may lead to memory corruption\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43707\n        WebKit\n        Processing maliciously crafted web content may lead to an unexpected process crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43708\n        WebKit\n        A malicious website may exfiltrate data cross-origin\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43709\n        WebKit\n        Processing maliciously crafted web content may lead to an unexpected process crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43712\n        WebKit\n        Processing maliciously crafted web content may lead to an unexpected process crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43713\n        WebKit\n        Visiting a website may leak sensitive data\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43715\n        WebKit\n        Processing maliciously crafted web content may lead to memory corruption\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43716\n        WebKit\n        Processing maliciously crafted web content may lead to an unexpected Safari crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43725\n        WebKit\n        A malicious website may be able to process restricted web content outside the sandbox\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43726\n        WebKit\n        Processing maliciously crafted web content may lead to an unexpected process crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43727\n        WebKit\n        Processing maliciously crafted web content may lead to an unexpected Safari crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43731\n        WebKit\n        Processing maliciously crafted web content may lead to memory corruption\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43732\n        WebKit\n        Processing maliciously crafted web content may disclose sensitive user information\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43734\n        WebKit\n        Processing maliciously crafted web content may lead to an unexpected process crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43735\n        WebKit\n        A malicious website may exfiltrate data cross-origin\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43740\n        WebKit\n        Processing maliciously crafted web content may result in the disclosure of process memory\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43742\n        WebKit\n        Processing maliciously crafted web content may lead to an unexpected process crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43745\n        WebKit\n        Processing maliciously crafted web content may lead to an unexpected Safari crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43720\n        WebKit Canvas\n        Processing maliciously crafted web content may lead to an unexpected Safari crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43721\n        WebKit Storage\n        A malicious website may be able to silently hijack clipboard data\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-28979\n        WebRTC\n        Processing maliciously crafted web content may lead to an unexpected process crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43717\n        WebRTC\n        Processing maliciously crafted web content may lead to an unexpected Safari crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43718\n        WebRTC\n        Processing maliciously crafted web content may lead to an unexpected Safari crash\n        Yes\n        Yes\n        Yes\n      \n      \n        CVE-2026-43746\n        WebRTC\n        Processing maliciously crafted web content may lead to an unexpected Safari crash\n        Yes\n        Yes\n        Yes\n      \n      \n    \n  \n\n\n\n  \n  \n\n\n\n\n\n\n  \nWe\u2019ll continue these macOS updates if people find them useful. Stay tuned for the regularly schedule Patch Tuesday blog covering Adobe and Microsoft.", "creation_timestamp": "2026-07-01T16:01:01.040350Z"}]}