Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
A type confusion issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. A remote attacker may be able to cause a denial of service.
AnalysisAI
Type confusion vulnerability in Apple's operating systems allows remote unauthenticated attackers to trigger denial of service across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Apple has released patches addressing the issue in iOS/iPadOS 18.7.9 and 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. The CVSS vector indicates network-accessible exploitation with low complexity and no privileges required, though EPSS score of 0.13% (32nd percentile) suggests relatively low likelihood of widespread exploitation. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
Type confusion vulnerabilities occur when code incorrectly handles data of one type as if it were another type, leading to memory corruption or unexpected behavior. In this case, Apple addressed the issue through improved type checking mechanisms across their operating system family. The vulnerability affects fundamental components shared across Apple's ecosystem, as evidenced by the simultaneous patching across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The network attack vector (AV:N) and availability impact (A:H) suggest the type confusion occurs in network-facing code, potentially in protocol parsing, network API handling, or inter-process communication mechanisms. Without CWE classification, the specific type confusion category remains unspecified, though common variants include CWE-843 (Access of Resource Using Incompatible Type) or CWE-704 (Incorrect Type Conversion or Cast).
RemediationAI
Apple has released patches for all affected platforms: update iOS and iPadOS devices to version 18.7.9 or 26.5 (depending on device compatibility), macOS systems to Tahoe 26.5, tvOS devices to 26.5, visionOS headsets to 26.5, and watchOS devices to 26.5. Updates can be obtained through standard Apple software update mechanisms (Settings > General > Software Update for iOS/iPadOS, System Settings > General > Software Update for macOS). Consult platform-specific advisories at support.apple.com URLs 127110 through 127120 for detailed update instructions. For environments unable to immediately patch, implement network-layer mitigations by restricting untrusted network access to affected devices through firewall rules, network segmentation, or VPN-only access, though this significantly impacts device functionality and user experience. Organizations should prioritize patching internet-facing systems and high-availability services first, while accepting temporary DoS risk for isolated internal endpoints may be reasonable pending maintenance windows.
Same technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29278
GHSA-36h7-c8f4-vc3p