Finding memory bugs in Apple's WebKit, mostly without me

How I built an LLM-assisted pipeline to hunt memory safety bugs in WebKit, the eight CVEs it turned up across two Safari release cycles, and where a human still has to take over.

Over the past few months I built a tool to help me find memory safety bugs, and pointed it at WebKit. It found eight valid memory corruption issues. This is a short account of how it fits into the actual work, and where I still have to take over by hand.

TL;DR — This isn’t a technical write-up. It’s a high-level look at the tool I built and what it found; the per-bug internals and PoCs are a separate post.

How it works

AI-assisted WebKit security auditing pipeline Four stages, left to right. Narrowing, auditing and reproduction run automatically; proving impact is human plus AI. Outcomes: three primitive-level bugs and five confirmed crashes, reported to Apple. One pipeline, eight Safari CVEs Triage, auditing and reproduction run automatically. Proving impact is where I take over. AUTOMATED HUMAN + AI PHASE 1 Narrow cheap, fast model WebKit treemillions of LOC Scope the searchdiffs, fixes, hot code Rank candidatesUAF · type-conf · OOB PHASE 2 Audit claude-opus-4.6 Read in contextfunction, callers, guards Trace reachabilityattacker input to sink Refute & scoredrop weak candidates PHASE 3A Reproduce skill-driven Write a PoCHTML / layout test Run under ASANauto-reproduce Confirm or scorecrash ✓ · else blocker PHASE 3B Prove impact human + AI Escalate the crashheap layout, debugger Reach a primitivereg · R/W · code exec Bounty scenarioprove it, don't chain RESULT · 8 VALID BUGS 3 Primitive-level register · R/W · code exec 5 Confirmed crashes ASAN + reduced case OUTPUT Report to Apple root cause · repro · impact
Narrowing, auditing and reproduction are automated — a skill writes a PoC and reproduces the crash under ASAN, or scores its confidence and names what blocked it. Turning a confirmed crash into a demonstrated primitive is the part I still drive.

Narrowing and auditing are volume work, so they go first: a cheap model triages, then a stronger model audits each survivor and tries to refute it before scoring it. Reproduction is automated too — a skill writes a PoC, usually an HTML or layout test or a patch if it assumes renderer compromised, and runs it under ASAN. The part I’d actually point at is what happens on a miss: a candidate that won’t reproduce isn’t dropped, it’s scored and tagged with whatever blocked it, so a failed repro comes back as a ranked lead instead of a dead end.

All of it ends in the same artifact — a confirmed crash with a reduced case — and that’s where the automation stops being useful. A crash proves the bug is real; it says nothing about what the bug is worth. Apple grades on what you can prove: register control, a repeatable read/write, code execution. Getting a fault there means reasoning about heap layout at the debugger, and that part is still mine. The machine finds the crash; it can’t tell me what it’s worth.


The bugs

The eight CVEs from these two release cycles. I’m not getting into the individual bugs here; that’s a separate post.

CVE Release Component Class
CVE-2026-28947 26.5 (May 2026) WebKit Use-after-free
CVE-2026-28946 26.5 (May 2026) WebKit Use-after-free
CVE-2026-28944 26.5 (May 2026) WebRTC Heap-buffer-overflow
CVE-2026-43704 26.5.2 (Jun 2026) Web Extensions Use-after-free
CVE-2026-43731 26.5.2 (Jun 2026) WebKit Use-after-free
CVE-2026-43705 26.5.2 (Jun 2026) WebKit Type confusion
CVE-2026-43676 26.5.2 (Jun 2026) WebKit OOB access
CVE-2026-43746 26.5.2 (Jun 2026) WebRTC Use-after-free

Where this goes

It works but isn’t finished. The pattern set leans toward bugs I’ve already seen, so it’s blind to categories I haven’t added, and the cross-thread analysis needs work. The basic limit is simple: it finds what you tell it to look for, fast, but won’t turn up a new class of bug on its own. Deciding what to look for, and whether a candidate is worth reporting, is still my job. That was always the deal: make the parts that don’t need judgment quick, so there’s more time for the parts that do.


All of these were reported to Apple through the Apple Security Bounty program before this post went up. Technical details and PoC code for individual bugs will follow later, in line with disclosure timelines.