Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
This issue was addressed through improved state management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An attacker may be able to track users through their IP address.
AnalysisAI
IP address tracking across iOS, iPadOS, macOS, and visionOS allows remote attackers to correlate user activity without authentication due to improper state management (CWE-359: Exposure of Private Personal Information). The vulnerability affects default configurations across six Apple OS versions with network-accessible attack vector and low complexity. EPSS score of 0.02% (7th percentile) indicates minimal observed exploitation activity. Apple released coordinated patches across all affected platforms in March 2026 security updates.
Technical ContextAI
The vulnerability stems from CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor), specifically through inadequate state management in network stack or application layer components shared across Apple's operating system ecosystem. The flaw enables IP address-based user tracking, suggesting persistent identifiers or state information leak across sessions or contexts where isolation should exist. This could involve WebKit rendering engine, network proxy handling, DNS resolution, or system-level networking APIs that fail to properly isolate connection state. The cross-platform nature (iOS, iPadOS, macOS Sequoia/Sonoma/Tahoe, visionOS) indicates the affected code exists in a shared framework like Network.framework or lower-level networking primitives in the XNU kernel. Apple's fix description 'improved state management' suggests the remediation involved proper session isolation, connection state cleanup, or prevention of identifier correlation across network requests.
RemediationAI
Apply Apple's March 2026 security updates immediately: upgrade iOS and iPadOS devices to version 18.7.9 or 26.5, macOS Sequoia to 15.7.7, macOS Sonoma to 14.8.7, macOS Tahoe to 26.5, and visionOS to 26.5. Updates available through Settings → General → Software Update on iOS/iPadOS/visionOS, and System Settings → General → Software Update on macOS. Vendor advisories with detailed update instructions at https://support.apple.com/en-us/127110 through 127120. Organizations using mobile device management (MDM) should deploy patches via centralized update policies. No workarounds are documented for this vulnerability; compensating controls would require network-level IP address randomization through VPN or Tor, which introduces performance overhead and application compatibility issues. For devices that cannot be immediately patched, consider network segmentation to limit exposure of user activity patterns, though this does not eliminate the underlying tracking vector. Apple's patch resolves the root cause through improved state management without known side effects or compatibility impacts.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29231
GHSA-ggc3-fqp9-32jv