Safari Regex Engine Vulnerability Allows Remote Code Execution via Duplicate Named Groups

Apple has released a security update to address a remote code execution (RCE) vulnerability in Safari, disclosed on May 12, 2026, under the coordinated advisory ZDI-26-313. The flaw, a heap-based buffer overflow carrying a CVSS score of 8.8, resides in the engine’s handling of regular expressions with duplicate named groups. It is triggered when a user visits a specially crafted malicious page. The risk lies in the intersection of a JavaScript feature and a memory boundary validation error, turning standard web browsing into an effective RCE vector against the Apple ecosystem.

Technical Analysis: Heap Overflow in the Regex Parser

The vulnerability exists within Safari's regular expression engine and specifically affects the parsing of duplicate named groups, a syntax construct introduced in the ES2018 specification. According to the ZDI-26-313 advisory, the issue stems from a failure to validate the length of user-supplied data before it is copied into a heap-based buffer. This oversight leads to a heap-based buffer overflow, which can be leveraged to overwrite adjacent memory areas and execute arbitrary code within the browser process. The error is not a failure of regex logic itself, but rather a lack of boundary checks during the transition from the parser to dynamic memory.

"The specific flaw exists within the handling of regular expression named groups. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer." — Zero Day Initiative, advisory ZDI-26-313

When Safari's parser processes expressions containing duplicate named groups, the lack of heap space verification allows for an input-controlled overwrite. Consequently, the corruption of adjacent memory can be weaponized to hijack the browser process's execution flow, effectively converting a routine parsing operation into an RCE vector.

Exploitation via Web Page Visitation

The attack vector, reflected in the CVSS 8.8 score (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), makes this vulnerability a potent tool for social engineering. An attacker does not require credentials or specific network conditions; they only need to lure a victim to a webpage containing a malicious regex or convince them to open a compromised file. While user interaction is required, it is minimal and aligns with standard daily browsing habits. This low barrier to entry significantly amplifies the risk for Safari users across macOS and iOS.

Social engineering is the most likely delivery method: a message, a QR code, or a social media post redirecting to a seemingly legitimate domain. Once the page is loaded, the JavaScript code containing the malicious regex executes within the Safari process context without further warnings. Because the user does not need to take any conscious action beyond navigation, the threat is particularly effective against unsuspecting targets and corporate environments with permissive browsing policies.

Coordinated Disclosure and Apple's Patch

Trend Micro Zero Day Initiative received the report on March 26, 2026, and managed the coordinated publication on May 12, 2026, when advisory ZDI-26-313 was made public. The official text states that "Apple has issued an update to correct this vulnerability," but it does not provide specific build or version numbers for macOS, iPadOS, or iOS. The coordinated nature of the disclosure suggests that Apple integrated the fix prior to the release of technical details, narrowing the window of exposure. However, it remains unverified whether the update reached all supported versions simultaneously.

Trend Micro’s Zero Day Initiative acts as a vulnerability broker, managing communication between independent researchers and vendors. The roughly seven-week window between the initial report and public disclosure follows industry-standard coordinated disclosure practices, allowing the vendor time to test and distribute a fix. During this period, technical details are kept confidential to reduce the likelihood of malicious actors replicating the exploit before users can apply the patch.

Reporting Limitations: Missing CVE and Affected Versions

The technical dossier contains several gaps that complicate corporate risk management. No CVE identifier has been assigned to the vulnerability, making it harder to track within vulnerability management systems and threat intelligence feeds. Furthermore, the advisory does not list which specific versions of Safari, macOS, or iOS are affected, nor does it specify which releases contain the fix. Without this data, security teams must rely on the ZDI-26-313 reference for tracking, which can delay assessment times.

As of publication, there is no confirmed evidence of active exploitation in the wild. While the absence of such evidence does not eliminate the risk, it prevents the threat from being classified as an active zero-day attack. These limitations make it essential for organizations to proactively install updates across all Apple devices in their fleet without waiting for further confirmation from the threat landscape.

Mitigation and Security Recommendations

The response to this vulnerability involves immediate action and ongoing monitoring, as the advisory leaves several risk management points open.

• Immediately install Apple updates for Safari and associated operating systems on all macOS, iOS, and iPadOS endpoints via the Software Update section. Since specific vulnerable versions have not been disclosed, the most prudent approach is to assume all devices are exposed until proven otherwise.
• Monitor EDR (Endpoint Detection and Response) alerts and web gateways for anomalies in page rendering involving complex regex payloads until patch coverage across the fleet is confirmed. This measure helps detect exploitation attempts that may occur before or after patches are applied.
• Advise corporate users about the risks of clicking unverified links, as visiting a malicious page is sufficient to trigger the exploitation chain. Security awareness should shift focus from traditional phishing to the dangers of passive navigation on compromised sites.
• Track the potential assignment of a dedicated CVE and any subsequent vendor analysis to map the exact patched versions. Compliance verification can only be completed once Apple clarifies which builds are affected.

The ZDI discovery highlights how advanced, seemingly benign web language features can harbor devastating memory safety flaws when browser implementations overlook user-data boundary controls. For Safari, the perceived security of the Apple ecosystem is not a technical mitigation: the regex engine remains native code exposed to arbitrary input.

This case reinforces the need to treat all external content parsing as a critical attack surface, regardless of end-user security perceptions. Organizations and advanced users should prioritize this update; even without public evidence of exploitation, the network-accessible nature of the flaw makes the Apple ecosystem an attractive target for future targeted campaigns.

Frequently Asked Questions

Is the issue with named groups themselves or the Safari parser?

The syntax for duplicate named groups is part of the ES2018 standard. The danger arises from Safari's implementation, which fails to validate data length before copying it to heap memory. Other JavaScript engines may handle the same regex without issue.

Why is the CVSS score 8.8 rather than 9.8 if the impact is total?

The attack vector includes the UI:R (User Interaction Required) metric. This requirement limits the score, even though the impact on confidentiality, integrity, and availability is high. Without this interactive barrier, the severity would likely reach critical levels.

Is the Apple update sufficient, or are network countermeasures required?

Installing the patch is the primary and definitive mitigation. While URL filters and corporate Browser Isolation provide useful defensive layers, they do not replace the fix for the regex engine itself.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• http://www.zerodayinitiative.com/advisories/ZDI-26-313/