Skip to main content

iOS and iPadOS EUVDEUVD-2026-29268

| CVE-2026-28964 HIGH
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-05-11 apple GHSA-2899-6rgx-h9c6
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:27 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 26.5 and iPadOS 26.5, visionOS 26.5. An app may be able to access sensitive user data.

AnalysisAI

Malicious applications on iOS 26.5, iPadOS 26.5, and visionOS 26.5 can access sensitive user data due to inconsistent user interface state management. The vulnerability stems from UI state handling flaws (CWE-451) that allow apps to bypass expected data access controls. Apple has released patches in iOS/iPadOS 26.5 and visionOS 26.5. Despite a CVSS score of 7.5 (High), the EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability in the wild. No public exploit code or CISA KEV listing identified at time of analysis, suggesting this is primarily a platform-hardening fix rather than an actively targeted vulnerability.

Technical ContextAI

This vulnerability exploits CWE-451 (User Interface Misrepresentation of Critical Information), specifically through inconsistent state management in Apple's operating system UI frameworks. The affected products are iOS and iPadOS versions prior to 26.5, and visionOS versions prior to 26.5, as confirmed by CPE strings cpe:2.3:a:apple:ios_and_ipados:*:*:*:*:*:*:*:* and cpe:2.3:a:apple:visionos:*:*:*:*:*:*:*:*. UI state management controls how applications interact with system-level permission prompts, data access controls, and user consent workflows. When state transitions are handled inconsistently, malicious applications can potentially access sensitive data (contacts, photos, location, health data) without proper user authorization or by manipulating the UI state to bypass permission checks. The CVSS vector AV:N/AC:L/PR:N/UI:N indicates network-accessible attack surface with low complexity, though the description context suggests the actual attack requires a malicious app already installed on the device, creating tension between the CVSS vector and the described attack scenario.

RemediationAI

Update to Apple-released patched versions: iOS 26.5, iPadOS 26.5, or visionOS 26.5 as documented in Apple security advisories HT127110 and HT127120 (https://support.apple.com/en-us/127110, https://support.apple.com/en-us/127120). For devices that cannot immediately update, implement compensating controls through Mobile Device Management (MDM) policies: restrict third-party application installation to only vetted enterprise apps via allowlisting, disable sideloading and developer mode, and enforce App Store-only installation policies. Note these mitigations reduce attack surface but do not eliminate risk if malicious apps are already installed or if users have administrative control. Review application permissions for existing installed apps and revoke unnecessary data access permissions in Settings > Privacy & Security. For enterprise deployments, prioritize updates for devices with sensitive data access (executive devices, healthcare/finance sector use cases) and consider phased rollout testing the iOS 26.5 update for application compatibility before broad deployment.

Share

EUVD-2026-29268 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy