Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
A logic issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. Replying to an email could display remote images in Mail in Lockdown Mode.
AnalysisAI
Apple Mail on iOS, iPadOS, and macOS bypasses Lockdown Mode protections when replying to emails, allowing remote image loading that should be blocked. This information disclosure affects all supported Apple OS versions (iOS/iPadOS 18.x, macOS Sequoia 15.x, Sonoma 14.x, and Tahoe 26.x) prior to security updates released in early 2026. The vulnerability undermines a critical privacy protection for high-risk users, enabling email tracking and potential IP address disclosure despite Lockdown Mode activation. EPSS score of 0.02% suggests minimal automated exploitation likelihood, no public exploit or CISA KEV listing identified, though the attack complexity is rated low (CVSS AC:L).
Technical ContextAI
This vulnerability represents a logic flaw (CWE-1254: Incorrect Comparison) in Apple Mail's implementation of Lockdown Mode restrictions. Lockdown Mode is a hardened security configuration introduced in iOS 16 and macOS Ventura designed for users facing targeted digital threats, which among other protections blocks remote content loading in Mail to prevent tracking pixels and metadata leakage. The affected CPE strings identify multiple Apple operating system families: iOS/iPadOS (mobile platforms) and macOS across three major versions (Sequoia 15.x, Sonoma 14.x, and the newer Tahoe 26.x). The logic error specifically manifests when users perform email reply operations, where Mail's content filtering logic fails to properly enforce the Lockdown Mode policy against remote image resources. This suggests a conditional code path where reply message composition bypasses security checks that correctly function during initial email viewing.
RemediationAI
Apply vendor-released patches immediately: upgrade iOS and iPadOS devices to version 18.7.9, macOS Sequoia systems to 15.7.7, macOS Sonoma to 14.8.7, and macOS Tahoe to 26.5 via System Settings > General > Software Update or through Apple Business/School Manager for managed deployments (advisories at https://support.apple.com/en-us/127111 through 127117). For environments unable to patch immediately, implement these compensating controls with noted limitations: disable Lockdown Mode temporarily on affected systems (trade-off: removes all Lockdown Mode protections including JIT compilation blocks, font rendering restrictions, and network security hardening, acceptable only for low-risk users), configure Mail to disable all message composition features via MDM profile restrictions (trade-off: eliminates reply functionality entirely, may impact business workflows), or instruct Lockdown Mode users to avoid replying to emails from untrusted senders and instead compose new messages manually (trade-off: requires user training and consistent adherence, human error likely). Note that simply disabling remote content loading in Mail preferences does not mitigate this issue as the vulnerability bypasses existing Lockdown Mode controls.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29246
GHSA-527j-9gv9-84mw