Skip to main content

Apple iOS/iPadOS/macOS/visionOS CVE-2026-28936

| EUVDEUVD-2026-29248 HIGH
Improper Input Validation (CWE-20)
2026-05-11 apple GHSA-c8pw-9v2c-4669
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 13, 2026 - 15:53 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

The issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. Processing a maliciously crafted file may lead to unexpected app termination.

AnalysisAI

High confidentiality information disclosure across Apple's ecosystem (iOS, iPadOS, macOS, visionOS) allows remote unauthenticated attackers to extract sensitive data by delivering a maliciously crafted file. The vulnerability affects all current Apple operating systems and was fixed in March 2026 security updates (iOS/iPadOS 18.7.9/26.5, macOS 14.8.7/26.5, visionOS 26.5). Despite CVSS 7.5 HIGH rating and network attack vector requiring no privileges, EPSS exploitation probability is very low at 0.02% (5th percentile), suggesting minimal real-world risk. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

Technical ContextAI

This is an input validation vulnerability (CWE-20: Improper Input Validation) affecting file processing components across Apple's operating system family. The CVE spans multiple CPE entries for iOS/iPadOS, macOS (Sonoma and Tahoe releases), and visionOS, indicating a shared code component or framework handling file parsing. Apple addressed it with 'improved checks', suggesting insufficient validation of file structure, metadata, or embedded content that could be exploited to leak memory contents or filesystem data. The CVSS vector shows pure confidentiality impact (C:H/I:N/A:N) with no integrity or availability effects, distinguishing this from typical denial-of-service file parsing bugs. The description mentions 'unexpected app termination' which contradicts the CVSS availability score of None, suggesting the primary exploitable impact is information disclosure before termination occurs, or that Apple's initial description was conservative.

RemediationAI

Apply vendor-released security updates immediately: upgrade iOS and iPadOS to version 18.7.9 or 26.5 (depending on device generation), macOS Sonoma to 14.8.7, macOS Tahoe to 26.5, and visionOS to 26.5 as documented in Apple security advisories HT127110, HT127111, HT127115, HT127117, and HT127120 (https://support.apple.com/en-us/127110 through 127120). For devices unable to immediately patch, implement defense-in-depth controls: disable automatic file preview in Mail and Messages applications (Settings > Mail > Load Remote Content, Settings > Messages > Low Quality Image Mode), restrict AirDrop to Contacts Only (Settings > General > AirDrop), and train users to avoid opening unsolicited files from unknown sources. Note that disabling preview features reduces usability and does not eliminate risk if users manually open malicious files. Configure Mobile Device Management (MDM) policies to enforce rapid security update deployment across enterprise devices. For high-security environments, consider temporarily restricting file sharing capabilities until patching is complete, accepting productivity impact as trade-off for information disclosure prevention.

Share

CVE-2026-28936 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy