Skip to main content

Apple OS CVE-2026-28991

| EUVDEUVD-2026-29284 HIGH
Out-of-bounds Read (CWE-125)
2026-05-11 apple GHSA-778p-qw96-fmjp
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 18:24 vuln.today
CVSS changed
May 12, 2026 - 18:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to cause a denial-of-service.

AnalysisAI

Out-of-bounds read in Apple operating systems allows remote unauthenticated denial-of-service via malicious application. Apple has patched this vulnerability across all affected platforms (iOS/iPadOS, macOS, tvOS, visionOS, watchOS) in version 26.5 releases. Despite CVSS 7.5 HIGH rating, exploitation probability remains low (EPSS 2%, 5th percentile) with no public exploit code identified and no CISA KEV listing. The vulnerability is impact-limited to availability (denial-of-service) with no confidentiality or integrity compromise, though tags indicate potential information disclosure concerns that warrant verification against vendor advisories.

Technical ContextAI

This vulnerability stems from CWE-125 (Out-of-bounds Read), a memory safety issue where software reads data past the end or before the beginning of an allocated buffer. The flaw affects core system components across Apple's entire ecosystem including iOS/iPadOS, macOS Tahoe, tvOS, visionOS, and watchOS prior to version 26.5. Out-of-bounds reads typically occur when boundary validation is insufficient during buffer operations, allowing an application to access memory regions outside intended boundaries. Apple addressed this through improved bounds checking mechanisms in the affected system libraries or frameworks. The cross-platform nature suggests the vulnerability exists in shared code components used across Apple's operating system family, though the specific affected framework or system service is not disclosed in available data.

RemediationAI

Update all affected Apple devices to version 26.5 or later immediately through standard OS update mechanisms (Settings > General > Software Update on iOS/iPadOS, System Settings > General > Software Update on macOS, Settings > System > Software Updates on tvOS/watchOS/visionOS). Apple has released patches for all supported platforms with detailed security content documentation available in vendor advisories (https://support.apple.com/en-us/127110, 127115, 127118, 127119, 127120). For devices unable to upgrade to 26.5 due to hardware limitations, implement application vetting controls by restricting app installations to trusted App Store sources only and disabling sideloading/developer mode where possible. Enterprise environments should leverage Mobile Device Management (MDM) solutions to enforce app whitelisting and block unverified applications, though this introduces operational overhead for legitimate development workflows. Organizations with legacy Apple devices should prioritize hardware replacement planning, as denial-of-service vulnerabilities in core OS components cannot be effectively mitigated through network controls alone. No effective network-layer compensating controls exist for this client-side memory safety issue.

Share

CVE-2026-28991 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy