Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. A remote attacker may be able to cause unexpected app termination.
AnalysisAI
Buffer overflow in Apple operating systems allows remote attackers to trigger application denial of service without authentication. Affects iOS/iPadOS, macOS (Sequoia, Sonoma, Tahoe), tvOS, visionOS, and watchOS across multiple versions. Vendor-released patches available for all affected platforms. No public exploit identified at time of analysis, with EPSS score of 0.12% (30th percentile) indicating low probability of widespread exploitation attempts. CVSS 7.5 reflects network-accessible unauthenticated attack causing high availability impact but limited to app termination rather than system-wide denial of service.
Technical ContextAI
CWE-121 stack-based buffer overflow vulnerability affecting core components across Apple's entire operating system ecosystem. The vulnerability exists in a shared code path or library component present in iOS, iPadOS, macOS (multiple major versions), tvOS, visionOS, and watchOS, indicating a foundational networking or parsing component. Stack-based buffer overflows occur when a program writes more data to a buffer on the call stack than was allocated, potentially overwriting adjacent memory including return addresses and function pointers. Apple addressed this through improved bounds checking, suggesting insufficient input validation on externally-supplied data. The cross-platform nature (mobile, desktop, wearable, media devices) and network attack vector point to a common framework component processing untrusted network data, possibly in WebKit, network stack, or media parsing libraries.
RemediationAI
Apply vendor-released patches immediately through standard update mechanisms. For iOS/iPadOS users: update to version 18.7.9 or 26.5 depending on device compatibility via Settings > General > Software Update. For macOS users: update to Sequoia 15.7.7, Sonoma 14.8.7, or Tahoe 26.5 as appropriate for system version via System Settings > General > Software Update or Apple menu. For tvOS, visionOS, and watchOS: update to version 26.5 through respective system update interfaces. Complete advisory documentation available at https://support.apple.com/en-us/127110 through 127120. No workarounds documented by vendor. Compensating controls offer limited value given network attack vector and application-layer exploitation: restricting network access to trusted sources may reduce attack surface but is impractical for consumer devices and many enterprise use cases. Organizations should prioritize patching devices with business-critical applications most susceptible to availability disruption. Note that updates may require device restarts and should be scheduled during maintenance windows for production systems.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29218
GHSA-4w2g-rx2c-59rp