Skip to main content

Apple OS platforms CVE-2026-28987

| EUVDEUVD-2026-29281 HIGH
Insertion of Sensitive Information into Log File (CWE-532)
2026-05-11 apple GHSA-cw5m-c88q-x4pv
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:29 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An app may be able to leak sensitive kernel state.

AnalysisAI

Improper log data redaction across Apple's operating systems exposes sensitive kernel state to locally-installed applications. Vulnerable versions include iOS/iPadOS prior to 18.7.9 and 26.5, macOS Sequoia prior to 15.7.7, macOS Sonoma prior to 14.8.7, macOS Tahoe prior to 26.5, tvOS prior to 26.5, and watchOS prior to 26.5. Apple has released patches for all affected platforms addressing the CWE-532 (insertion of sensitive information into log file) weakness. The CVSS vector (AV:N/AC:L/PR:N/UI:N) appears inconsistent with the description of an app-based exploit, suggesting Apple's logging subsystem may be remotely queryable or the vector requires clarification. EPSS score of 0.02% (7th percentile) indicates minimal observed exploitation activity despite the high CVSS rating.

Technical ContextAI

This vulnerability stems from CWE-532 (Insertion of Sensitive Information Into Log File), where Apple's unified logging subsystem across iOS, iPadOS, macOS, tvOS, and watchOS failed to properly redact sensitive kernel state information before recording it in system logs. The unified logging framework, introduced in iOS 10 and macOS Sierra, provides a centralized logging mechanism accessible to applications via the os_log APIs. Applications with appropriate entitlements or system privileges can query these logs using the OSLogStore framework or command-line tools like 'log show'. The affected CPE entries (cpe:2.3:a:apple:ios_and_ipados, cpe:2.3:a:apple:macos, cpe:2.3:a:apple:tvos, cpe:2.3:a:apple:watchos) indicate this is a systemic issue in Apple's logging infrastructure spanning their entire operating system portfolio. Kernel state that should be redacted may include memory addresses (defeating ASLR), cryptographic material, authentication tokens, or internal data structures that reveal implementation details useful for exploit development.

RemediationAI

Apple has released patches for all affected platforms and organizations should deploy updates through standard Apple software update mechanisms. For iOS and iPadOS devices, update to version 18.7.9 or 26.5 depending on device compatibility. For macOS systems, update to macOS Sonoma 14.8.7, macOS Sequoia 15.7.7, or macOS Tahoe 26.5 based on your current major version. Apple TV devices should update to tvOS 26.5, and Apple Watch devices require watchOS 26.5. Updates can be deployed via Settings > General > Software Update on end-user devices or through Mobile Device Management (MDM) solutions for enterprise environments. Official security advisories with detailed update instructions are available at https://support.apple.com/en-us/127110 through https://support.apple.com/en-us/127119. If immediate patching is not feasible, consider compensating controls including restricting application installation to enterprise-vetted apps only through MDM policies, enabling stricter log access controls via MDM configuration profiles to limit which apps can query system logs, and implementing runtime application monitoring to detect unusual log querying behavior. These mitigations trade off user flexibility and may impact legitimate diagnostic tools but reduce the attack surface until patching is complete. No workaround fully addresses the vulnerability as the logging subsystem operates at the OS level beneath application sandboxes.

Share

CVE-2026-28987 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy