Skip to main content

Apple operating systems EUVDEUVD-2026-29231

| CVE-2026-28906 HIGH
Exposure of Private Personal Information to an Unauthorized Actor (CWE-359)
2026-05-11 apple GHSA-ggc3-fqp9-32jv
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 18:23 vuln.today
CVSS changed
May 12, 2026 - 18:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:03 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

This issue was addressed through improved state management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An attacker may be able to track users through their IP address.

AnalysisAI

IP address tracking across iOS, iPadOS, macOS, and visionOS allows remote attackers to correlate user activity without authentication due to improper state management (CWE-359: Exposure of Private Personal Information). The vulnerability affects default configurations across six Apple OS versions with network-accessible attack vector and low complexity. EPSS score of 0.02% (7th percentile) indicates minimal observed exploitation activity. Apple released coordinated patches across all affected platforms in March 2026 security updates.

Technical ContextAI

The vulnerability stems from CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor), specifically through inadequate state management in network stack or application layer components shared across Apple's operating system ecosystem. The flaw enables IP address-based user tracking, suggesting persistent identifiers or state information leak across sessions or contexts where isolation should exist. This could involve WebKit rendering engine, network proxy handling, DNS resolution, or system-level networking APIs that fail to properly isolate connection state. The cross-platform nature (iOS, iPadOS, macOS Sequoia/Sonoma/Tahoe, visionOS) indicates the affected code exists in a shared framework like Network.framework or lower-level networking primitives in the XNU kernel. Apple's fix description 'improved state management' suggests the remediation involved proper session isolation, connection state cleanup, or prevention of identifier correlation across network requests.

RemediationAI

Apply Apple's March 2026 security updates immediately: upgrade iOS and iPadOS devices to version 18.7.9 or 26.5, macOS Sequoia to 15.7.7, macOS Sonoma to 14.8.7, macOS Tahoe to 26.5, and visionOS to 26.5. Updates available through Settings → General → Software Update on iOS/iPadOS/visionOS, and System Settings → General → Software Update on macOS. Vendor advisories with detailed update instructions at https://support.apple.com/en-us/127110 through 127120. Organizations using mobile device management (MDM) should deploy patches via centralized update policies. No workarounds are documented for this vulnerability; compensating controls would require network-level IP address randomization through VPN or Tor, which introduces performance overhead and application compatibility issues. For devices that cannot be immediately patched, consider network segmentation to limit exposure of user activity patterns, though this does not eliminate the underlying tracking vector. Apple's patch resolves the root cause through improved state management without known side effects or compatibility impacts.

Share

EUVD-2026-29231 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy