Skip to main content

Apple iOS/iPadOS/macOS CVE-2026-28951

| EUVDEUVD-2026-29256 HIGH
Incorrect Authorization (CWE-863)
2026-05-11 apple GHSA-798q-fw67-pc42
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:26 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.8 (HIGH)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.8

DescriptionCVE.org

An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to gain root privileges.

AnalysisAI

Privilege escalation in Apple operating systems allows local authenticated applications to gain root privileges through an authorization flaw in state management. Affects multiple macOS versions (Sonoma, Sequoia, Tahoe) and iOS/iPadOS versions prior to patched releases. Apple has issued coordinated security updates across all affected platforms (iOS 18.7.9/26.5, iPadOS 18.7.9/26.5, macOS Sonoma 14.8.7, Sequoia 15.7.7, Tahoe 26.5). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation despite high CVSS 7.8, with no public exploit identified at time of analysis and no CISA KEV listing. The local attack vector requiring authenticated privileges substantially reduces immediate risk compared to network-based vulnerabilities.

Technical ContextAI

This vulnerability (CWE-863: Incorrect Authorization) stems from flawed state management in Apple's operating system authorization framework that validates privilege transitions. The affected CPE configurations span multiple OS generations: iOS/iPadOS (mobile platforms) and macOS Sonoma (14.x), Sequoia (15.x), and Tahoe (26.x) series. CWE-863 indicates the authorization logic fails to properly enforce security policies during state changes, allowing an application to manipulate or bypass privilege checks during transitions. Apple's authorization architecture typically uses XPC services, entitlements, and privilege separation - this flaw suggests a race condition, improper validation sequence, or state confusion in the elevation pathway that permits applications to escalate from low-privileged user context to root (UID 0) without proper authorization checks. The cross-platform nature (iOS, iPadOS, macOS) indicates the vulnerable code exists in shared frameworks like Foundation, Security.framework, or system daemons managing privilege elevation.

RemediationAI

Vendor-released patches are available for all affected platforms. Update iOS and iPadOS devices to version 18.7.9 or 26.5 through Settings > General > Software Update. Update macOS Sonoma systems to 14.8.7, Sequoia systems to 15.7.7, or Tahoe systems to 26.5 via System Settings > General > Software Update or using softwareupdate command-line tool. Detailed update instructions available in Apple security advisories at https://support.apple.com/en-us/127110, https://support.apple.com/en-us/127111, https://support.apple.com/en-us/127115, https://support.apple.com/en-us/127116, and https://support.apple.com/en-us/127117. If immediate patching is not feasible, implement compensating controls including application allowlisting to prevent execution of untrusted applications (using Gatekeeper enforcement and restricting installation sources to Mac App Store only), enable System Integrity Protection and remove admin privileges from standard user accounts to raise the initial access barrier. For macOS enterprise environments, deploy Mobile Device Management (MDM) policies restricting application installation and enforcing automatic security updates. Note that compensating controls only reduce attack surface and cannot eliminate the vulnerability - patching remains the only complete remediation. Temporary restrictions on app installation may impact user productivity and require exceptions management.

Share

CVE-2026-28951 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy