Skip to main content

Apple Operating Systems EUVDEUVD-2026-29278

| CVE-2026-28983 HIGH
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2026-05-11 apple GHSA-36h7-c8f4-vc3p
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 18:24 vuln.today
CVSS changed
May 12, 2026 - 18:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
HIGH 7.5

DescriptionCVE.org

A type confusion issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. A remote attacker may be able to cause a denial of service.

AnalysisAI

Type confusion vulnerability in Apple's operating systems allows remote unauthenticated attackers to trigger denial of service across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Apple has released patches addressing the issue in iOS/iPadOS 18.7.9 and 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. The CVSS vector indicates network-accessible exploitation with low complexity and no privileges required, though EPSS score of 0.13% (32nd percentile) suggests relatively low likelihood of widespread exploitation. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Type confusion vulnerabilities occur when code incorrectly handles data of one type as if it were another type, leading to memory corruption or unexpected behavior. In this case, Apple addressed the issue through improved type checking mechanisms across their operating system family. The vulnerability affects fundamental components shared across Apple's ecosystem, as evidenced by the simultaneous patching across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The network attack vector (AV:N) and availability impact (A:H) suggest the type confusion occurs in network-facing code, potentially in protocol parsing, network API handling, or inter-process communication mechanisms. Without CWE classification, the specific type confusion category remains unspecified, though common variants include CWE-843 (Access of Resource Using Incompatible Type) or CWE-704 (Incorrect Type Conversion or Cast).

RemediationAI

Apple has released patches for all affected platforms: update iOS and iPadOS devices to version 18.7.9 or 26.5 (depending on device compatibility), macOS systems to Tahoe 26.5, tvOS devices to 26.5, visionOS headsets to 26.5, and watchOS devices to 26.5. Updates can be obtained through standard Apple software update mechanisms (Settings > General > Software Update for iOS/iPadOS, System Settings > General > Software Update for macOS). Consult platform-specific advisories at support.apple.com URLs 127110 through 127120 for detailed update instructions. For environments unable to immediately patch, implement network-layer mitigations by restricting untrusted network access to affected devices through firewall rules, network segmentation, or VPN-only access, though this significantly impacts device functionality and user experience. Organizations should prioritize patching internet-facing systems and high-availability services first, while accepting temporary DoS risk for isolated internal endpoints may be reasonable pending maintenance windows.

Share

EUVD-2026-29278 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy