Skip to main content

Apple operating systems CVE-2026-28986

| EUVDEUVD-2026-29280 HIGH
Race Condition (CWE-362)
2026-05-11 apple GHSA-jp3g-c936-q6p5
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:28 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:07 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:07 nvd
HIGH 7.5

DescriptionCVE.org

A race condition was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An app may be able to cause unexpected system termination.

AnalysisAI

A race condition in Apple operating systems allows unauthenticated remote attackers to cause system-wide denial of service through unexpected system termination. The vulnerability affects iOS/iPadOS, macOS (Sequoia, Sonoma, Tahoe), tvOS, and watchOS across multiple version branches. Apple has released patches for all affected platforms. The CVSS 7.5 score reflects high availability impact with network attack vector and low complexity, though EPSS probability remains very low (0.02%, 7th percentile), suggesting limited real-world exploitation likelihood. No active exploitation confirmed (not listed in CISA KEV), and no public proof-of-concept identified at time of analysis.

Technical ContextAI

This vulnerability stems from a race condition (CWE-362) in a shared system component across Apple's operating system family. Race conditions occur when multiple threads or processes access shared resources concurrently without proper synchronization, leading to unpredictable behavior depending on execution timing. Apple addressed the issue through 'additional validation' - likely adding atomic operations, mutex locks, or sequence checks to ensure operations complete in the correct order. The network attack vector (AV:N) combined with the cross-platform nature suggests the race condition exists in a network-accessible system service or framework common to iOS, macOS, tvOS, and watchOS. The CPE data confirms impact across Apple's entire ecosystem: mobile (iOS/iPadOS), desktop (macOS across three major versions), streaming (tvOS), and wearable (watchOS) platforms. The fact that seven separate security bulletins were issued indicates coordinated patching across all product lines.

RemediationAI

Update immediately to patched versions: iOS/iPadOS 18.7.9 or 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, or watchOS 26.5, as detailed in Apple security bulletins at https://support.apple.com/en-us/127110 through 127119. For enterprise deployments, prioritize internet-facing devices and systems in DMZ networks given the network attack vector. If immediate patching is not feasible, implement network segmentation to limit exposure of vulnerable Apple devices to untrusted networks, and deploy intrusion detection systems monitoring for abnormal system termination patterns that may indicate exploitation attempts - note this is detective, not preventive, and adds operational overhead for security teams investigating crashes. For consumer devices, enable automatic security updates in Settings to ensure timely deployment. No workaround exists to mitigate the underlying race condition without applying Apple's validation logic changes.

Share

CVE-2026-28986 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy