Skip to main content

Apple iOS, macOS, tvOS EUVDEUVD-2026-29273

| CVE-2026-28972 MEDIUM
Out-of-bounds Write (CWE-787)
2026-05-11 apple GHSA-5wpw-5qmq-59j8
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 18:26 vuln.today
CVSS changed
May 12, 2026 - 18:22 NVD
6.5 (MEDIUM)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
MEDIUM 6.5

DescriptionCVE.org

An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to cause unexpected system termination or write kernel memory.

AnalysisAI

Out-of-bounds write in Apple operating systems allows network-based unauthenticated attackers to corrupt kernel memory or cause denial of service without user interaction. The vulnerability affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS across multiple versions. Apple has released patches for all affected platforms, though the extremely low EPSS score (0.02%) suggests real-world exploitation risk is minimal despite the network attack vector.

Technical ContextAI

This is a CWE-787 out-of-bounds write (buffer overflow) vulnerability in Apple's core operating system kernel or system library code. The CVSS vector indicates network-based unauthenticated exploitation with low attack complexity, meaning the flaw exists in a network-facing service or protocol handler that processes external input without proper bounds checking. The CPE data confirms the vulnerability spans all major Apple platforms: iOS/iPadOS, macOS (multiple versions), tvOS, watchOS, and visionOS. The out-of-bounds write allows writing beyond allocated memory boundaries, which can corrupt kernel data structures, trigger kernel panic, or potentially enable privilege escalation.

RemediationAI

Patch immediately to the following vendor-released versions: iOS and iPadOS 26.5 or later (or iOS 18.7.9 if on that branch), macOS Sequoia 15.7.7 or later, macOS Sonoma 14.8.7 or later, macOS Tahoe 26.5 or later, tvOS 26.5 or later, watchOS 26.5 or later, and visionOS 26.5 or later. Updates are available through Apple's System Settings/Software Update on all platforms and via Apple's support pages (https://support.apple.com/en-us/127110 and related advisory links). Organizations managing fleet deployments should use Mobile Device Management (MDM) or similar tools to enforce installation before the vulnerability can be exploited. No workarounds are available; the out-of-bounds write occurs at the kernel level and cannot be mitigated through user-level configuration. For environments with critical systems on older macOS versions (Sonoma, Sequoia), verify patch deployment immediately as the network attack vector poses risk even to isolated networks if local services expose the vulnerable code path.

Share

EUVD-2026-29273 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy