Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5. Processing a maliciously crafted image may corrupt process memory.
AnalysisAI
Process memory corruption in Apple's image processing subsystem across iOS, iPadOS, macOS, tvOS, and visionOS allows remote attackers to extract confidential data from process memory via crafted images. The vulnerability affects all Apple operating systems prior to their respective May 2026 security updates. CVSS vector indicates network-based, unauthenticated exploitation requiring no user interaction beyond processing the image, though the CVSS score focuses on confidentiality impact (C:H) with no integrity or availability impact. EPSS score of 0.02% suggests low observed exploitation likelihood, with no CISA KEV listing or public POC identified at time of analysis. Apple has released patches across all affected platforms.
Technical ContextAI
This is a memory safety vulnerability (CWE-119: Buffer Errors) in Apple's shared image processing libraries used across their entire operating system ecosystem. The affected component likely resides in ImageIO framework or CoreGraphics, which handles parsing and rendering of image formats (JPEG, PNG, HEIF, etc.) across all Apple platforms. Buffer overflow vulnerabilities in image parsers occur when malformed image metadata (dimensions, color profiles, EXIF data) causes the parser to write beyond allocated memory boundaries during decoding. The network attack vector (AV:N) combined with no required user interaction (UI:N) indicates the vulnerability triggers automatically when the OS processes an image - potentially via iMessage preview, Mail attachment rendering, or system thumbnail generation. The CVSS vector's high confidentiality impact (C:H) with no integrity or availability impact suggests an information disclosure vulnerability rather than code execution, meaning attackers can read adjacent process memory but not modify it or crash the service.
RemediationAI
Apply the vendor-released patches immediately via automatic software updates or manual download from Apple Support. For iOS/iPadOS users: upgrade to version 18.7.9 or 26.5 depending on device support. For macOS Sequoia users: upgrade to 15.7.7. For macOS Tahoe users: upgrade to 26.5. For Apple TV users: upgrade tvOS to 26.5. For Vision Pro users: upgrade visionOS to 26.5. Updates available through Settings > General > Software Update on iOS/iPadOS/tvOS/visionOS, or System Settings > General > Software Update on macOS. Detailed instructions and security content available at https://support.apple.com/en-us/127110 through HT127120. If immediate patching is not feasible, implement network-level image filtering to block or sanitize untrusted images before delivery to endpoints - this requires deep packet inspection with format validation but adds latency and may break legitimate complex images. Disable automatic image rendering in high-risk applications (Mail preview, Messages preview) until patching is complete, though this significantly degrades user experience and may be organizationally unacceptable. For enterprise MDM deployments, force update policies should be configured to ensure rapid deployment within 72 hours given the network-accessible attack surface.
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29249
GHSA-757x-6rpx-jpwf