Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing a maliciously crafted image may corrupt process memory.
AnalysisAI
Memory corruption in Apple's image processing subsystem allows remote unauthenticated attackers to read sensitive process memory across all major Apple platforms (iOS, macOS, tvOS, visionOS, watchOS). CVSS 7.5 indicates network-exploitable, no-interaction attack surface, yet EPSS score of 0.02% (7th percentile) suggests low observed exploitation activity. Vendor-released patches available for all affected platforms as of March 2026. No active exploitation confirmed (not in CISA KEV), but the network attack vector and broad platform impact warrant priority patching for Apple ecosystem deployments.
Technical ContextAI
This vulnerability affects Apple's cross-platform image processing library (exact component not disclosed), manifesting as a buffer overflow (CWE-119) during image parsing operations. The CPE data confirms impact across the entire Apple ecosystem: iOS/iPadOS 26.x, macOS across three major versions (Sequoia 15.x, Sonoma 14.x, and future Tahoe 26.x), tvOS, visionOS, and watchOS 26.x. Buffer overflows in image parsers typically occur when size validation fails during decompression or format conversion, allowing attackers to craft malformed image files that exceed allocated memory boundaries. The unified fix across platforms suggests a shared codebase vulnerability in Apple's ImageIO framework or similar lower-level image handling APIs used system-wide. The confidentiality-only impact (C:H/I:N/A:N in CVSS vector) indicates memory disclosure without code execution or denial of service - unusual for buffer overflows, suggesting read-beyond-bounds rather than write primitives.
RemediationAI
Apply vendor-released patches immediately for all affected Apple platforms: upgrade iOS and iPadOS to version 26.5 or later (https://support.apple.com/en-us/127110), macOS Sequoia to 15.7.7 or later (https://support.apple.com/en-us/127115), macOS Sonoma to 14.8.7 or later (https://support.apple.com/en-us/127116), macOS Tahoe to 26.5 or later (https://support.apple.com/en-us/127117), tvOS to 26.5 or later (https://support.apple.com/en-us/127118), visionOS to 26.5 or later (https://support.apple.com/en-us/127119), and watchOS to 26.5 or later (https://support.apple.com/en-us/127120). If immediate patching is not feasible, implement network-level controls to filter untrusted image content before processing: deploy web application firewalls with image format validation, restrict image upload functionality to authenticated users only (reducing attack surface from PR:N to PR:L), and sandbox image processing operations in isolated containers with memory limits to contain potential disclosure. For high-risk environments (public-facing web servers processing user-submitted images), consider temporarily disabling support for exotic image formats until patching is complete, though this may impact legitimate functionality. Monitor process memory access patterns for anomalous reads during image processing operations, though detection is challenging given the confidentiality-only impact leaves minimal forensic artifacts.
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29283
GHSA-xxqw-xrxq-2h73