Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
A null pointer dereference was addressed with improved input validation. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5. An attacker on the local network may be able to cause a denial-of-service.
AnalysisAI
Null pointer dereference in Apple operating systems (iOS, iPadOS, macOS Tahoe, tvOS) allows local network attackers to cause denial of service by sending crafted input that bypasses validation. The vulnerability affects all versions prior to iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, and tvOS 26.5. No code execution or data compromise is possible; impact is limited to availability disruption on affected devices.
Technical ContextAI
A null pointer dereference vulnerability (CWE-476) occurs when application code attempts to dereference a pointer that has not been initialized or has been set to null, typically due to insufficient input validation. In this Apple ecosystem vulnerability, inadequate validation of local network input allows an attacker to craft a malicious input that causes the underlying code path to attempt dereferencing a null pointer, resulting in a crash or service interruption. The vulnerability is present across multiple Apple platforms (iOS, iPadOS, macOS, tvOS) suggesting a shared codebase or library component processes local network input on these systems.
RemediationAI
Vendor-released patch: Update to iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, or tvOS 26.5 depending on affected device. Users should enable automatic updates in their device settings (Settings > General > Software Update > Automatic Updates on iOS/iPadOS; System Settings > General > Software Update on macOS) to receive patches as soon as available. For enterprise environments, deploy these updates through Mobile Device Management (MDM) solutions or Mac management tools to ensure timely remediation across device fleets. No workarounds are available for devices unable to update immediately; network segmentation can reduce attack surface by restricting local network access to devices via firewall rules, though this may impact device functionality for legitimate local network services (AirPlay, HomeKit, etc.). Prioritize patching for devices that handle sensitive workloads or operate in shared network environments where untrusted local clients may be present.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29279
GHSA-w9f3-jqrp-mw9r