Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.
AnalysisAI
Memory corruption in Apple operating systems allows remote attackers to trigger unexpected app termination or corrupt process memory by delivering a maliciously crafted media file to users, requiring user interaction to open the file. Affects iOS/iPadOS 26.4 and earlier, macOS Sequoia 15.7.6 and earlier, macOS Sonoma 14.8.6 and earlier, macOS Tahoe 26.4 and earlier, tvOS 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier. No public exploit identified at time of analysis; vendor-released patches are available across all affected platforms.
Technical ContextAI
The vulnerability is rooted in a CWE-125 out-of-bounds read issue, categorized as buffer overflow, occurring in Apple's media file processing routines. When a maliciously crafted media file is processed-likely during parsing of video, audio, or image metadata by system frameworks or bundled media applications-insufficient input validation allows reading beyond allocated buffer boundaries. This memory corruption can affect various Apple platforms including iOS, iPadOS, macOS (multiple versions: Sequoia, Sonoma, Tahoe), tvOS, visionOS, and watchOS, suggesting the vulnerable code is shared across Apple's unified operating system architecture, likely in core media handling libraries (e.g., CoreMedia, AVFoundation). The CPE identifiers confirm the vulnerability spans multiple Apple product lines without version restrictions in the base CPE, indicating the issue affects multiple release generations across each platform.
RemediationAI
Apply vendor-released patches immediately: upgrade to iOS/iPadOS 26.5 or later, macOS Sequoia 15.7.7 or later, macOS Sonoma 14.8.7 or later, macOS Tahoe 26.5 or later, tvOS 26.5 or later, visionOS 26.5 or later, or watchOS 26.5 or later. All updates are available through standard system update mechanisms (Settings > General > Software Update on iOS/iPadOS/tvOS/visionOS/watchOS; System Settings > General > Software Update on macOS). No workarounds are available short of patching; however, risk can be reduced by instructing users to avoid opening media files from untrusted sources until patches are applied. Vendor advisory links: https://support.apple.com/en-us/127110 (iOS/iPadOS), https://support.apple.com/en-us/127115 (macOS Sequoia), https://support.apple.com/en-us/127116 (macOS Sonoma), https://support.apple.com/en-us/127117 (macOS Tahoe), https://support.apple.com/en-us/127118 (tvOS), https://support.apple.com/en-us/127119 (visionOS), https://support.apple.com/en-us/127120 (watchOS).
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29261
GHSA-f3j7-jqj9-3m57