Skip to main content

Apple Image Processing EUVDEUVD-2026-29283

| CVE-2026-28990 HIGH
Buffer Overflow (CWE-119)
2026-05-11 apple GHSA-xxqw-xrxq-2h73
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 14:29 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:07 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:07 nvd
HIGH 7.5

DescriptionCVE.org

The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing a maliciously crafted image may corrupt process memory.

AnalysisAI

Memory corruption in Apple's image processing subsystem allows remote unauthenticated attackers to read sensitive process memory across all major Apple platforms (iOS, macOS, tvOS, visionOS, watchOS). CVSS 7.5 indicates network-exploitable, no-interaction attack surface, yet EPSS score of 0.02% (7th percentile) suggests low observed exploitation activity. Vendor-released patches available for all affected platforms as of March 2026. No active exploitation confirmed (not in CISA KEV), but the network attack vector and broad platform impact warrant priority patching for Apple ecosystem deployments.

Technical ContextAI

This vulnerability affects Apple's cross-platform image processing library (exact component not disclosed), manifesting as a buffer overflow (CWE-119) during image parsing operations. The CPE data confirms impact across the entire Apple ecosystem: iOS/iPadOS 26.x, macOS across three major versions (Sequoia 15.x, Sonoma 14.x, and future Tahoe 26.x), tvOS, visionOS, and watchOS 26.x. Buffer overflows in image parsers typically occur when size validation fails during decompression or format conversion, allowing attackers to craft malformed image files that exceed allocated memory boundaries. The unified fix across platforms suggests a shared codebase vulnerability in Apple's ImageIO framework or similar lower-level image handling APIs used system-wide. The confidentiality-only impact (C:H/I:N/A:N in CVSS vector) indicates memory disclosure without code execution or denial of service - unusual for buffer overflows, suggesting read-beyond-bounds rather than write primitives.

RemediationAI

Apply vendor-released patches immediately for all affected Apple platforms: upgrade iOS and iPadOS to version 26.5 or later (https://support.apple.com/en-us/127110), macOS Sequoia to 15.7.7 or later (https://support.apple.com/en-us/127115), macOS Sonoma to 14.8.7 or later (https://support.apple.com/en-us/127116), macOS Tahoe to 26.5 or later (https://support.apple.com/en-us/127117), tvOS to 26.5 or later (https://support.apple.com/en-us/127118), visionOS to 26.5 or later (https://support.apple.com/en-us/127119), and watchOS to 26.5 or later (https://support.apple.com/en-us/127120). If immediate patching is not feasible, implement network-level controls to filter untrusted image content before processing: deploy web application firewalls with image format validation, restrict image upload functionality to authenticated users only (reducing attack surface from PR:N to PR:L), and sandbox image processing operations in isolated containers with memory limits to contain potential disclosure. For high-risk environments (public-facing web servers processing user-submitted images), consider temporarily disabling support for exotic image formats until patching is complete, though this may impact legitimate functionality. Monitor process memory access patterns for anomalous reads during image processing operations, though detection is challenging given the confidentiality-only impact leaves minimal forensic artifacts.

Share

EUVD-2026-29283 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy