Skip to main content

Apple iOS, iPadOS, macOS, visionOS CVE-2026-28958

| EUVDEUVD-2026-29263 MEDIUM
Information Exposure (CWE-200)
2026-05-11 apple GHSA-qwj9-ffgq-f34w
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:31 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
5.5 (MEDIUM)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:07 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:07 nvd
MEDIUM 5.5

DescriptionCVE.org

This issue was addressed with improved data protection. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access sensitive user data.

AnalysisAI

Apple operating systems prior to version 26.5 allow installed applications to access sensitive user data through an information disclosure vulnerability requiring local access and user interaction. The flaw affects iOS, iPadOS, macOS Tahoe, and visionOS across all versions before 26.5, with an EPSS score of 0.02% indicating low real-world exploitation probability despite the local attack vector and high confidentiality impact.

Technical ContextAI

This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating a data protection weakness in Apple's operating systems. The issue arises from insufficient access controls or isolation boundaries that permit applications to read sensitive user data they should not have access to. The local attack vector (AV:L) combined with no privilege requirement (PR:N) but requiring user interaction (UI:R) suggests the vulnerability may be triggered through user-initiated actions such as file access, clipboard operations, or inter-process communication (IPC) mechanisms. The affected CPE strings indicate the vulnerability impacts all iOS/iPadOS versions, all macOS versions, and all visionOS versions prior to the 26.5 release across all product editions.

RemediationAI

Apply vendor-released patch by updating to iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, or visionOS 26.5 depending on affected device type. Navigate to Settings > General > Software Update on iOS/iPadOS and visionOS devices, or System Settings > General > Software Update on macOS. For organizations managing multiple devices, deploy updates through Mobile Device Management (MDM) or Mac management tools. No documented workarounds exist for unpatched systems; the patch includes improved data protection mechanisms that cannot be replicated through configuration alone. Users should prioritize updating devices that store or access highly sensitive personal information. Patch deployment should be staged to ensure system stability, beginning with non-critical devices.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed

Share

CVE-2026-28958 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy