Skip to main content

Apple iOS, iPadOS, macOS CVE-2026-28952

| EUVDEUVD-2026-29257 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-05-11 apple GHSA-7wc8-2xg6-9vfg
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 18:24 vuln.today
CVSS changed
May 12, 2026 - 18:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

An integer overflow was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to cause unexpected system termination.

AnalysisAI

Integer overflow in Apple operating systems allows remote unauthenticated attackers to crash devices via maliciously crafted input, causing denial of service through system termination. Affects iOS/iPadOS versions prior to 18.7.9, macOS Sequoia prior to 15.7.7, macOS Sonoma prior to 14.8.7, and macOS Tahoe prior to 26.5. Apple has released patches for all affected platforms. Despite the network attack vector and lack of authentication requirements (CVSS AV:N/PR:N), EPSS exploitation probability is very low at 0.02% (5th percentile), and no public exploits or active exploitation have been identified. Not listed in CISA KEV, suggesting limited real-world targeting.

Technical ContextAI

This vulnerability stems from an integer overflow condition (CWE-190) in an unspecified component accessible to applications across Apple's operating system family. Integer overflows occur when arithmetic operations produce values exceeding the maximum size of the integer type, often wrapping around to unexpected values. In this case, the overflow can be triggered by malformed input to cause memory corruption or resource exhaustion leading to system crashes. The affected CPE entries span multiple Apple OS families (iOS, iPadOS, and three macOS versions), indicating the vulnerable code is present in shared system frameworks or kernel components. Apple's fix involved improved input validation to detect and reject values that would trigger overflow conditions before they cause system instability.

RemediationAI

Vendor-released patches: Update to iOS 18.7.9 or iPadOS 18.7.9 for mobile devices, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, or macOS Tahoe 26.5 for desktop systems. Patches are available through standard Apple Software Update mechanisms and addresses available at https://support.apple.com/en-us/127111 (iOS/iPadOS), https://support.apple.com/en-us/127115, https://support.apple.com/en-us/127116, and https://support.apple.com/en-us/127117 (macOS versions). No workarounds are documented by the vendor. If immediate patching is not feasible, consider restricting network exposure of affected devices and implementing application allowlisting to prevent untrusted applications from processing external input, though this significantly impacts device usability and does not fully mitigate the network attack vector. Monitor devices for unexpected crashes or system termination events as potential exploitation indicators. Organizations should prioritize patching based on device criticality and exposure rather than raw CVSS score given the DoS-only impact and low observed exploitation probability.

Share

CVE-2026-28952 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy