This issue was addressed with improved URL validation. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. On a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that should be restricted.
The problem stems from insufficient URL validation. When web content is opened via file URL (file:// scheme) on a Mac with Lockdown Mode enabled, the mechanisms restricting access to specific Web APIs are not properly enforced. An attacker can thus gain access to browser functions that should be unavailable in this protected system operating mode.
An attacker can gain access to restricted Web APIs in the Lockdown Mode context, which potentially leads to breach of confidentiality, integrity, and availability of data — which reflects the maximum CVSS score of 9.8 (C:H/I:H/A:H).
The system should be updated to Safari 26.2 and macOS Tahoe 26.2, in which the issue was resolved through improved URL validation. Details available at: https://support.apple.com/en-us/125886 and https://support.apple.com/en-us/125892.
Apple Safari versions before 26.2 and macOS Tahoe versions before 26.2, on Mac devices with Lockdown Mode enabled.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApple macOS
OSApple< 26.2Apple Safari
APPApple< 26.2
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu
Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach
Apple — memory corruption (RCE) w przetwarzaniu strumieni audio
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki