Over the past few months I built a tool to help me find memory safety bugs, and pointed it at WebKit. It found eight valid memory corruption issues. This is a short account of how it fits into the actual work, and where I still have to take over by hand.
TL;DR — This isn’t a technical write-up. It’s a high-level look at the tool I built and what it found; the per-bug internals and PoCs are a separate post.
How it works
Narrowing and auditing are volume work, so they go first: a cheap model triages, then a stronger model audits each survivor and tries to refute it before scoring it. Reproduction is automated too — a skill writes a PoC, usually an HTML or layout test or a patch if it assumes renderer compromised, and runs it under ASAN. The part I’d actually point at is what happens on a miss: a candidate that won’t reproduce isn’t dropped, it’s scored and tagged with whatever blocked it, so a failed repro comes back as a ranked lead instead of a dead end.
All of it ends in the same artifact — a confirmed crash with a reduced case — and that’s where the automation stops being useful. A crash proves the bug is real; it says nothing about what the bug is worth. Apple grades on what you can prove: register control, a repeatable read/write, code execution. Getting a fault there means reasoning about heap layout at the debugger, and that part is still mine. The machine finds the crash; it can’t tell me what it’s worth.
The bugs
The eight CVEs from these two release cycles. I’m not getting into the individual bugs here; that’s a separate post.
| CVE | Release | Component | Class |
|---|---|---|---|
| CVE-2026-28947 | 26.5 (May 2026) | WebKit | Use-after-free |
| CVE-2026-28946 | 26.5 (May 2026) | WebKit | Use-after-free |
| CVE-2026-28944 | 26.5 (May 2026) | WebRTC | Heap-buffer-overflow |
| CVE-2026-43704 | 26.5.2 (Jun 2026) | Web Extensions | Use-after-free |
| CVE-2026-43731 | 26.5.2 (Jun 2026) | WebKit | Use-after-free |
| CVE-2026-43705 | 26.5.2 (Jun 2026) | WebKit | Type confusion |
| CVE-2026-43676 | 26.5.2 (Jun 2026) | WebKit | OOB access |
| CVE-2026-43746 | 26.5.2 (Jun 2026) | WebRTC | Use-after-free |
Where this goes
It works but isn’t finished. The pattern set leans toward bugs I’ve already seen, so it’s blind to categories I haven’t added, and the cross-thread analysis needs work. The basic limit is simple: it finds what you tell it to look for, fast, but won’t turn up a new class of bug on its own. Deciding what to look for, and whether a candidate is worth reporting, is still my job. That was always the deal: make the parts that don’t need judgment quick, so there’s more time for the parts that do.
All of these were reported to Apple through the Apple Security Bounty program before this post went up. Technical details and PoC code for individual bugs will follow later, in line with disclosure timelines.