Skip to main content

Apple iOS, iPadOS, macOS, visionOS CVE-2026-43659

| EUVDEUVD-2026-29304 MEDIUM
Race Condition (CWE-362)
2026-05-11 apple GHSA-5c55-3jwg-4fc5
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:31 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
4.7 (MEDIUM)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
MEDIUM 4.7

DescriptionCVE.org

A race condition was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access sensitive user data.

AnalysisAI

A race condition in Apple operating systems allows authenticated local attackers to access sensitive user data with high complexity exploitation. The vulnerability affects iOS 18.7.9 and earlier, iPadOS 18.7.9 and earlier, iOS 26.5 and earlier, iPadOS 26.5 and earlier, macOS Sequoia 15.7.7 and earlier, macOS Sonoma 14.8.7 and earlier, macOS Tahoe 26.5 and earlier, and visionOS 26.5 and earlier. Vendor-released patches are available, and exploitation requires local access with user-level privileges and high technical complexity. The EPSS score of 0.02% and absence from active exploitation databases indicate low real-world exploitation risk despite the high confidentiality impact.

Technical ContextAI

The vulnerability is rooted in a race condition (CWE-362) where concurrent access to shared resources by multiple processes or threads creates a timing window for unauthorized data access. Race conditions typically occur when multiple threads or processes access and modify shared data without proper synchronization mechanisms, allowing an attacker to exploit the interval between data validation and use. In Apple's operating systems, this race condition permits an application running with standard user privileges to access protected user data through a time-of-check-time-of-use (TOCTOU) vulnerability. The fix involved implementing additional validation controls to eliminate the race window or enforce proper synchronization. The affected CPE entries indicate this impacts the core operating systems across multiple Apple platforms: iOS/iPadOS, macOS variants (Sequoia, Sonoma, Tahoe), and visionOS.

RemediationAI

Vendor-released patches are available: upgrade to iOS 18.7.9 or later, iPadOS 18.7.9 or later, iOS 26.5 or later, iPadOS 26.5 or later, macOS Sequoia 15.7.7 or later, macOS Sonoma 14.8.7 or later, macOS Tahoe 26.5 or later, or visionOS 26.5 or later. Enable automatic security updates through Settings > General > Software Update > Automatic Updates on iOS/iPadOS, System Settings > General > Software Update on macOS, or equivalent on visionOS. As a compensating control pending patch deployment, restrict physical access to affected devices and audit user account privileges, removing unnecessary user-level accounts that could serve as pivot points for local exploitation. Limit access to sensitive applications and enforce strong authentication on accounts with access to confidential data. These controls do not eliminate the vulnerability but raise the attacker cost by requiring either physical possession or compromise of an existing user account. See Apple support documents https://support.apple.com/en-us/127110 through https://support.apple.com/en-us/127120 for platform-specific patching guidance.

Share

CVE-2026-43659 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy