Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
A race condition was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An app may be able to cause unexpected system termination.
AnalysisAI
A race condition in Apple operating systems allows unauthenticated remote attackers to cause system-wide denial of service through unexpected system termination. The vulnerability affects iOS/iPadOS, macOS (Sequoia, Sonoma, Tahoe), tvOS, and watchOS across multiple version branches. Apple has released patches for all affected platforms. The CVSS 7.5 score reflects high availability impact with network attack vector and low complexity, though EPSS probability remains very low (0.02%, 7th percentile), suggesting limited real-world exploitation likelihood. No active exploitation confirmed (not listed in CISA KEV), and no public proof-of-concept identified at time of analysis.
Technical ContextAI
This vulnerability stems from a race condition (CWE-362) in a shared system component across Apple's operating system family. Race conditions occur when multiple threads or processes access shared resources concurrently without proper synchronization, leading to unpredictable behavior depending on execution timing. Apple addressed the issue through 'additional validation' - likely adding atomic operations, mutex locks, or sequence checks to ensure operations complete in the correct order. The network attack vector (AV:N) combined with the cross-platform nature suggests the race condition exists in a network-accessible system service or framework common to iOS, macOS, tvOS, and watchOS. The CPE data confirms impact across Apple's entire ecosystem: mobile (iOS/iPadOS), desktop (macOS across three major versions), streaming (tvOS), and wearable (watchOS) platforms. The fact that seven separate security bulletins were issued indicates coordinated patching across all product lines.
RemediationAI
Update immediately to patched versions: iOS/iPadOS 18.7.9 or 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, or watchOS 26.5, as detailed in Apple security bulletins at https://support.apple.com/en-us/127110 through 127119. For enterprise deployments, prioritize internet-facing devices and systems in DMZ networks given the network attack vector. If immediate patching is not feasible, implement network segmentation to limit exposure of vulnerable Apple devices to untrusted networks, and deploy intrusion detection systems monitoring for abnormal system termination patterns that may indicate exploitation attempts - note this is detective, not preventive, and adds operational overhead for security teams investigating crashes. For consumer devices, enable automatic security updates in Settings to ensure timely deployment. No workaround exists to mitigate the underlying race condition without applying Apple's validation logic changes.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29280
GHSA-jp3g-c936-q6p5