Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. A local attacker may be able to modify the state of the Keychain.
AnalysisAI
Local attackers can modify Apple Keychain state across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS due to improper input validation (CWE-20). This affects all Apple operating systems prior to their respective April 2026 security updates. Despite a CVSS score of 7.5, exploitation requires local access with specific privileges (description states 'local attacker'), contradicting the CVSS vector's AV:N/PR:N rating. EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability. No public exploit identified at time of analysis and not listed in CISA KEV. Vendor-released patches available across all platforms as of April 2026.
Technical ContextAI
This vulnerability affects Apple's Keychain subsystem, the OS-level credential management framework used across all Apple platforms for storing passwords, certificates, encryption keys, and other sensitive secrets. The root cause is improper input validation (CWE-20) when processing requests to modify Keychain state. Keychain operations typically require entitlements and process-level permissions, suggesting the vulnerability bypasses normal access controls through malformed input. The affected products span Apple's entire ecosystem: iOS/iPadOS (mobile), macOS Sequoia 15.x/Sonoma 14.x/Tahoe 26.x (desktop), tvOS (streaming devices), visionOS (spatial computing), and watchOS (wearables). The CPE strings confirm system-level impact across all product lines rather than a single application component.
RemediationAI
Apply vendor-released patches immediately: upgrade iOS/iPadOS devices to version 18.7.7 or 26.4, macOS Sequoia to 15.7.5, macOS Sonoma to 14.8.5, macOS Tahoe to 26.4, and tvOS/visionOS/watchOS to 26.4 as documented in Apple security advisories HT126792-HT126799 (https://support.apple.com/en-us/126792 through 126799). For devices that cannot be patched immediately, implement compensating controls: enforce full-disk encryption with strong passwords to raise local access barriers, enable FileVault on macOS and require device passcodes on iOS/iPadOS/watchOS (these do not prevent exploitation but limit attacker access to the device itself), restrict physical access to unattended devices, deploy Mobile Device Management (MDM) with remote wipe capabilities for lost/stolen devices, and monitor for unauthorized Keychain Access.app usage or keychain file modifications via endpoint detection tools. Note that disabling Keychain is not practical as it breaks password autofill, certificate management, and app authentication flows. Compensating controls only reduce attack surface by limiting local access opportunities, not the vulnerability itself.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29221
GHSA-6p6x-vh8j-jf65