Skip to main content

iOS and iPadOS EUVDEUVD-2026-29270

| CVE-2026-28967 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-11 apple GHSA-f8vp-hxq7-7vh8
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 18:26 vuln.today
CVSS changed
May 12, 2026 - 18:22 NVD
4.9 (MEDIUM)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
MEDIUM 4.9

DescriptionCVE.org

A denial-of-service issue was addressed with improved input validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4. An attacker in a privileged network position may be able to cause a denial-of-service.

AnalysisAI

Denial-of-service vulnerability in iOS and iPadOS allows network-positioned attackers with high privileges to crash or degrade service availability through insufficient input validation. Apple addressed this with patches in iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, and iPadOS 26.4. EPSS score of 0.02% (5th percentile) indicates very low real-world exploitation probability despite CVSS score of 4.9.

Technical ContextAI

The vulnerability stems from improper input validation (CWE-400: Uncontrolled Resource Consumption) in iOS and iPadOS networking components. An attacker positioned on the network path between client and service can craft malformed network traffic that causes the operating system to consume excessive resources or enter an invalid state, resulting in denial of service. The AV:N vector confirms network-layer exploitation is possible, but the PR:H requirement (high privilege) significantly restricts the practical attack surface to adversaries with network infrastructure control, such as rogue network operators, ISP-level actors, or compromised network intermediaries.

RemediationAI

Vendor-released patches are available: upgrade to iOS 18.7.7, iPadOS 18.7.7, iOS 26.4, or iPadOS 26.4. No workarounds are documented for this input validation vulnerability. Organizations unable to patch immediately should prioritize this based on network security posture-the PR:H requirement means only attackers with privileged network position (compromised network infrastructure, rogue Wi-Fi, ISP-level interception) can exploit. Consider network segmentation and egress filtering to reduce exposure to compromised upstream networks if patch deployment is delayed. Consult Apple security advisories (support.apple.com/en-us/126792 and support.apple.com/en-us/126793) for additional guidance.

Share

EUVD-2026-29270 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy