Skip to main content

Apple Mail CVE-2026-28929

| EUVDEUVD-2026-29246 HIGH
Incorrect Comparison Logic Granularity (CWE-1254)
2026-05-11 apple GHSA-527j-9gv9-84mw
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:26 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

A logic issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. Replying to an email could display remote images in Mail in Lockdown Mode.

AnalysisAI

Apple Mail on iOS, iPadOS, and macOS bypasses Lockdown Mode protections when replying to emails, allowing remote image loading that should be blocked. This information disclosure affects all supported Apple OS versions (iOS/iPadOS 18.x, macOS Sequoia 15.x, Sonoma 14.x, and Tahoe 26.x) prior to security updates released in early 2026. The vulnerability undermines a critical privacy protection for high-risk users, enabling email tracking and potential IP address disclosure despite Lockdown Mode activation. EPSS score of 0.02% suggests minimal automated exploitation likelihood, no public exploit or CISA KEV listing identified, though the attack complexity is rated low (CVSS AC:L).

Technical ContextAI

This vulnerability represents a logic flaw (CWE-1254: Incorrect Comparison) in Apple Mail's implementation of Lockdown Mode restrictions. Lockdown Mode is a hardened security configuration introduced in iOS 16 and macOS Ventura designed for users facing targeted digital threats, which among other protections blocks remote content loading in Mail to prevent tracking pixels and metadata leakage. The affected CPE strings identify multiple Apple operating system families: iOS/iPadOS (mobile platforms) and macOS across three major versions (Sequoia 15.x, Sonoma 14.x, and the newer Tahoe 26.x). The logic error specifically manifests when users perform email reply operations, where Mail's content filtering logic fails to properly enforce the Lockdown Mode policy against remote image resources. This suggests a conditional code path where reply message composition bypasses security checks that correctly function during initial email viewing.

RemediationAI

Apply vendor-released patches immediately: upgrade iOS and iPadOS devices to version 18.7.9, macOS Sequoia systems to 15.7.7, macOS Sonoma to 14.8.7, and macOS Tahoe to 26.5 via System Settings > General > Software Update or through Apple Business/School Manager for managed deployments (advisories at https://support.apple.com/en-us/127111 through 127117). For environments unable to patch immediately, implement these compensating controls with noted limitations: disable Lockdown Mode temporarily on affected systems (trade-off: removes all Lockdown Mode protections including JIT compilation blocks, font rendering restrictions, and network security hardening, acceptable only for low-risk users), configure Mail to disable all message composition features via MDM profile restrictions (trade-off: eliminates reply functionality entirely, may impact business workflows), or instruct Lockdown Mode users to avoid replying to emails from untrusted senders and instead compose new messages manually (trade-off: requires user training and consistent adherence, human error likely). Note that simply disabling remote content loading in Mail preferences does not mitigate this issue as the vulnerability bypasses existing Lockdown Mode controls.

Share

CVE-2026-28929 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy