Skip to main content

Apple OS platforms CVE-2026-43661

| EUVDEUVD-2026-29306 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-05-11 apple GHSA-wp6x-485c-jcgc
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:30 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. Processing a maliciously crafted image may corrupt process memory.

AnalysisAI

Buffer overflow in Apple's image processing framework across iOS, iPadOS, macOS, tvOS, and watchOS allows remote attackers to cause denial of service through process memory corruption. Despite the CVSS 7.5 (High) rating and network attack vector, the vulnerability is rated low priority with only 2% EPSS exploitation probability (5th percentile), indicating minimal real-world threat activity. Apple has released patches in version 26.5 across all affected platforms. No active exploitation or public proof-of-concept has been identified at time of analysis.

Technical ContextAI

This vulnerability represents a classic stack-based buffer overflow (CWE-121) in Apple's shared image processing libraries used across its operating system ecosystem. When parsing maliciously crafted image files, insufficient bounds checking allows input data to exceed allocated buffer space, corrupting adjacent process memory. The affected component appears to be a core imaging framework shared across iOS/iPadOS, macOS Tahoe, tvOS, and watchOS, as evidenced by synchronized patching in version 26.5 across all platforms. Stack-based buffer overflows differ from heap overflows in that they corrupt the call stack, potentially overwriting return addresses and local variables. The CVSS vector AV:N indicates the vulnerable image parser can be triggered remotely, likely through web content, email attachments, messaging applications, or any pathway that processes untrusted image data without user interaction (UI:N).

RemediationAI

Update all affected Apple devices to version 26.5 or later: iOS/iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, and watchOS 26.5. Apply updates through System Settings > General > Software Update on iOS/iPadOS, System Settings > General > Software Update on macOS, Settings > System > Software Updates on tvOS, and the Watch app on paired iPhone for watchOS. Consult Apple's security advisories at https://support.apple.com/en-us/127110 (iOS/iPadOS), https://support.apple.com/en-us/127115 (macOS), https://support.apple.com/en-us/127118 (tvOS), and https://support.apple.com/en-us/127119 (watchOS) for complete details. If immediate patching is not feasible, implement defense-in-depth controls: disable automatic image preview in email clients and messaging applications (reduces attack surface but degrades user experience), restrict network access to untrusted image sources through content filtering policies (effective for managed enterprise devices but impractical for consumer use cases), and enable verbose crash logging to detect exploitation attempts through abnormal process terminations in image processing frameworks (detection-only, does not prevent exploitation). These workarounds provide minimal protection given the pervasive nature of image processing across OS functions and should not substitute for timely patching.

Share

CVE-2026-43661 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy