Skip to main content

Apple iOS/macOS EUVDEUVD-2026-29276

| CVE-2026-28977 MEDIUM
Buffer Overflow (CWE-119)
2026-05-11 apple GHSA-qmqx-qxq3-57q5
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 13, 2026 - 15:59 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
6.2 (MEDIUM)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
MEDIUM 6.2

DescriptionCVE.org

The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing a maliciously crafted file may lead to unexpected app termination.

AnalysisAI

Improper bounds checking in Apple operating systems allows processing of maliciously crafted files to cause unexpected application termination (denial of service) on iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The vulnerability affects multiple major OS versions and requires local file processing without user interaction, but has extremely low real-world exploitation probability (EPSS 0.02%) despite moderate CVSS score.

Technical ContextAI

The vulnerability stems from improper bounds checking (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) in Apple's file processing logic. CWE-119 encompasses buffer overflows and similar memory access violations. The affected components span Apple's unified codebase across iOS 18.x/26.x, macOS Sequoia (15.x), Sonoma (14.x), Tahoe (26.x), tvOS, visionOS, and watchOS platforms, all built on similar kernel and framework architectures. The vulnerability triggers when a crafted file is processed locally, suggesting the flaw exists in a file parser or handler that lacks proper validation of file structure or content length before memory operations.

RemediationAI

Vendor-released patches are available across all affected platforms: upgrade iOS/iPadOS to 18.7.9 or 26.5, macOS Sequoia to 15.7.7, macOS Sonoma to 14.8.7, macOS Tahoe to 26.5, tvOS to 26.5, visionOS to 26.5, and watchOS to 26.5. Until patching is completed, restrict users' ability to open untrusted files from external sources, particularly those of file types known to trigger the vulnerable parser (specific file types not disclosed in available advisory). If file processing is business-critical and patching cannot be scheduled immediately, consider sandboxing file processing operations in isolated user accounts with minimal system privileges or using network-based file validation proxies that reject malformed files before delivery to vulnerable clients. Note that delaying patches on mobile platforms (iOS, watchOS) is high-risk given the prevalence of automatic background file handling; prioritize these updates.

Share

EUVD-2026-29276 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy