Skip to main content

Apple iOS, macOS, tvOS EUVDEUVD-2026-29285

| CVE-2026-28992 MEDIUM
Race Condition (CWE-362)
2026-05-11 apple GHSA-f933-7fg4-gxqr
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 18:26 vuln.today
CVSS changed
May 12, 2026 - 18:22 NVD
4.7 (MEDIUM)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:08 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:08 nvd
MEDIUM 4.7

DescriptionCVE.org

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An attacker may be able to cause unexpected app termination.

AnalysisAI

Memory corruption in Apple operating systems due to a race condition in locking mechanisms allows local authenticated attackers to cause unexpected app termination or potential denial of service. The vulnerability affects iOS 18.7.8 and earlier, iPadOS 18.7.8 and earlier, macOS Sequoia 15.7.6 and earlier, macOS Sonoma 14.8.6 and earlier, macOS Tahoe 26.4 and earlier, tvOS 26.4 and earlier, visionOS 26.4 and earlier, and watchOS 26.4 and earlier. Vendor-released patches are available across all affected platforms, with no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability stems from CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), indicating a race condition in shared resource locking. The flaw affects the memory management subsystem across Apple's ecosystem, which relies on consistent locking primitives to prevent concurrent access to kernel or framework data structures. When multiple threads or processes attempt to access the same memory region without proper synchronization, an attacker with local access can trigger a race window to cause memory corruption. The issue is classified as a buffer overflow variant triggered through race condition mechanics rather than traditional bounds-check bypass.

RemediationAI

Vendor-released patches are available: upgrade to iOS 18.7.9 or iPadOS 18.7.9 for affected iPhones and iPads, macOS Sequoia 15.7.7 for compatible Macs, macOS Sonoma 14.8.7 for older Macs, macOS Tahoe 26.5 for newer Macs, tvOS 26.5 for Apple TV, visionOS 26.5 for Vision Pro, and watchOS 26.5 for Apple Watch. Patch availability is confirmed through Apple security bulletins (support.apple.com/en-us/127110 through 127120). Users should prioritize patching on systems where local user access is available (shared devices, developer machines, or managed enterprise endpoints). Workarounds short of patching are unavailable; improved locking is a kernel-level fix. The low EPSS score (0.02%) suggests patching can be scheduled as part of regular maintenance cycles rather than emergency out-of-band deployment, particularly for devices with restricted local access (e.g., personal iPhones).

Share

EUVD-2026-29285 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy