Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
A denial-of-service issue was addressed with improved input validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4. An attacker in a privileged network position may be able to cause a denial-of-service.
AnalysisAI
Denial-of-service vulnerability in iOS and iPadOS allows network-positioned attackers with high privileges to crash or degrade service availability through insufficient input validation. Apple addressed this with patches in iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, and iPadOS 26.4. EPSS score of 0.02% (5th percentile) indicates very low real-world exploitation probability despite CVSS score of 4.9.
Technical ContextAI
The vulnerability stems from improper input validation (CWE-400: Uncontrolled Resource Consumption) in iOS and iPadOS networking components. An attacker positioned on the network path between client and service can craft malformed network traffic that causes the operating system to consume excessive resources or enter an invalid state, resulting in denial of service. The AV:N vector confirms network-layer exploitation is possible, but the PR:H requirement (high privilege) significantly restricts the practical attack surface to adversaries with network infrastructure control, such as rogue network operators, ISP-level actors, or compromised network intermediaries.
RemediationAI
Vendor-released patches are available: upgrade to iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, or iPadOS 26.4. No workarounds are documented for this input validation vulnerability. Organizations unable to patch immediately should prioritize this based on network security posture-the PR:H requirement means only attackers with privileged network position (compromised network infrastructure, rogue Wi-Fi, ISP-level interception) can exploit. Consider network segmentation and egress filtering to reduce exposure to compromised upstream networks if patch deployment is delayed. Consult Apple security advisories (support.apple.com/en-us/126792 and support.apple.com/en-us/126793) for additional guidance.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29270
GHSA-f8vp-hxq7-7vh8