Skip to main content

Apple iOS CVE-2026-28846

| EUVDEUVD-2026-29218 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-05-11 apple GHSA-4w2g-rx2c-59rp
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 18:23 vuln.today
CVSS changed
May 12, 2026 - 18:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:07 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:07 nvd
HIGH 7.5

DescriptionCVE.org

A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. A remote attacker may be able to cause unexpected app termination.

AnalysisAI

Buffer overflow in Apple operating systems allows remote attackers to trigger application denial of service without authentication. Affects iOS/iPadOS, macOS (Sequoia, Sonoma, Tahoe), tvOS, visionOS, and watchOS across multiple versions. Vendor-released patches available for all affected platforms. No public exploit identified at time of analysis, with EPSS score of 0.12% (30th percentile) indicating low probability of widespread exploitation attempts. CVSS 7.5 reflects network-accessible unauthenticated attack causing high availability impact but limited to app termination rather than system-wide denial of service.

Technical ContextAI

CWE-121 stack-based buffer overflow vulnerability affecting core components across Apple's entire operating system ecosystem. The vulnerability exists in a shared code path or library component present in iOS, iPadOS, macOS (multiple major versions), tvOS, visionOS, and watchOS, indicating a foundational networking or parsing component. Stack-based buffer overflows occur when a program writes more data to a buffer on the call stack than was allocated, potentially overwriting adjacent memory including return addresses and function pointers. Apple addressed this through improved bounds checking, suggesting insufficient input validation on externally-supplied data. The cross-platform nature (mobile, desktop, wearable, media devices) and network attack vector point to a common framework component processing untrusted network data, possibly in WebKit, network stack, or media parsing libraries.

RemediationAI

Apply vendor-released patches immediately through standard update mechanisms. For iOS/iPadOS users: update to version 18.7.9 or 26.5 depending on device compatibility via Settings > General > Software Update. For macOS users: update to Sequoia 15.7.7, Sonoma 14.8.7, or Tahoe 26.5 as appropriate for system version via System Settings > General > Software Update or Apple menu. For tvOS, visionOS, and watchOS: update to version 26.5 through respective system update interfaces. Complete advisory documentation available at https://support.apple.com/en-us/127110 through 127120. No workarounds documented by vendor. Compensating controls offer limited value given network attack vector and application-layer exploitation: restricting network access to trusted sources may reduce attack surface but is impractical for consumer devices and many enterprise use cases. Organizations should prioritize patching devices with business-critical applications most susceptible to availability disruption. Note that updates may require device restarts and should be scheduled during maintenance windows for production systems.

Share

CVE-2026-28846 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy