Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
An integer overflow was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to cause unexpected system termination.
AnalysisAI
Integer overflow in Apple operating systems allows remote unauthenticated attackers to crash devices via maliciously crafted input, causing denial of service through system termination. Affects iOS/iPadOS versions prior to 18.7.9, macOS Sequoia prior to 15.7.7, macOS Sonoma prior to 14.8.7, and macOS Tahoe prior to 26.5. Apple has released patches for all affected platforms. Despite the network attack vector and lack of authentication requirements (CVSS AV:N/PR:N), EPSS exploitation probability is very low at 0.02% (5th percentile), and no public exploits or active exploitation have been identified. Not listed in CISA KEV, suggesting limited real-world targeting.
Technical ContextAI
This vulnerability stems from an integer overflow condition (CWE-190) in an unspecified component accessible to applications across Apple's operating system family. Integer overflows occur when arithmetic operations produce values exceeding the maximum size of the integer type, often wrapping around to unexpected values. In this case, the overflow can be triggered by malformed input to cause memory corruption or resource exhaustion leading to system crashes. The affected CPE entries span multiple Apple OS families (iOS, iPadOS, and three macOS versions), indicating the vulnerable code is present in shared system frameworks or kernel components. Apple's fix involved improved input validation to detect and reject values that would trigger overflow conditions before they cause system instability.
RemediationAI
Vendor-released patches: Update to iOS 18.7.9 or iPadOS 18.7.9 for mobile devices, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, or macOS Tahoe 26.5 for desktop systems. Patches are available through standard Apple Software Update mechanisms and addresses available at https://support.apple.com/en-us/127111 (iOS/iPadOS), https://support.apple.com/en-us/127115, https://support.apple.com/en-us/127116, and https://support.apple.com/en-us/127117 (macOS versions). No workarounds are documented by the vendor. If immediate patching is not feasible, consider restricting network exposure of affected devices and implementing application allowlisting to prevent untrusted applications from processing external input, though this significantly impacts device usability and does not fully mitigate the network attack vector. Monitor devices for unexpected crashes or system termination events as potential exploitation indicators. Organizations should prioritize patching based on device criticality and exposure rather than raw CVSS score given the DoS-only impact and low observed exploitation probability.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29257
GHSA-7wc8-2xg6-9vfg