Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An attacker may be able to cause unexpected app termination.
AnalysisAI
Memory corruption in Apple operating systems due to a race condition in locking mechanisms allows local authenticated attackers to cause unexpected app termination or potential denial of service. The vulnerability affects iOS 18.7.8 and earlier, iPadOS 18.7.8 and earlier, macOS Sequoia 15.7.6 and earlier, macOS Sonoma 14.8.6 and earlier, macOS Tahoe 26.4 and earlier, tvOS 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier. Vendor-released patches are available across all affected platforms, with no public exploit identified at time of analysis.
Technical ContextAI
The vulnerability stems from CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), indicating a race condition in shared resource locking. The flaw affects the memory management subsystem across Apple's ecosystem, which relies on consistent locking primitives to prevent concurrent access to kernel or framework data structures. When multiple threads or processes attempt to access the same memory region without proper synchronization, an attacker with local access can trigger a race window to cause memory corruption. The issue is classified as a buffer overflow variant triggered through race condition mechanics rather than traditional bounds-check bypass.
RemediationAI
Vendor-released patches are available: upgrade to iOS 18.7.9 or iPadOS 18.7.9 for affected iPhones and iPads, macOS Sequoia 15.7.7 for compatible Macs, macOS Sonoma 14.8.7 for older Macs, macOS Tahoe 26.5 for newer Macs, tvOS 26.5 for Apple TV, visionOS 26.5 for Vision Pro, and watchOS 26.5 for Apple Watch. Patch availability is confirmed through Apple security bulletins (support.apple.com/en-us/127110 through 127120). Users should prioritize patching on systems where local user access is available (shared devices, developer machines, or managed enterprise endpoints). Workarounds short of patching are unavailable; improved locking is a kernel-level fix. The low EPSS score (0.02%) suggests patching can be scheduled as part of regular maintenance cycles rather than emergency out-of-band deployment, particularly for devices with restricted local access (e.g., personal iPhones).
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29285
GHSA-f933-7fg4-gxqr