Skip to main content

Apple iOS/macOS/tvOS EUVDEUVD-2026-29289

| CVE-2026-28996 MEDIUM
Race Condition (CWE-362)
2026-05-11 apple GHSA-xp43-g5gh-f86x
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 13, 2026 - 16:23 vuln.today
CVSS changed
May 13, 2026 - 16:22 NVD
5.5 (MEDIUM)
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:07 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 20:07 nvd
MEDIUM 5.5

DescriptionCVE.org

A race condition was addressed with additional validation. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to access sensitive user data.

AnalysisAI

Race condition in Apple operating systems allows local apps to access sensitive user data without authorization. Affects iOS and iPadOS versions below 26.5, macOS Sequoia 15.7.7, Sonoma 14.8.7, Tahoe 26.5, tvOS, visionOS, and watchOS versions below 26.5. Requires local app execution and user interaction. CVSS 5.5 reflects high confidentiality impact but low exploitation likelihood (EPSS 0.02%, 7th percentile).

Technical ContextAI

The vulnerability stems from a race condition (CWE-362) in Apple's operating system kernel or framework handling of user data access controls. Race conditions occur when multiple processes or threads access shared resources without proper synchronization, allowing a window of opportunity where access checks can be bypassed. In this case, the race condition enables a locally installed application to read sensitive user information during the brief moment when concurrent operations fail to properly enforce data isolation. The issue affects Apple's unified kernel architecture spanning iOS, macOS variants (Sequoia, Sonoma, Tahoe), tvOS, visionOS, and watchOS, indicating the vulnerability likely exists in shared core system libraries or memory management subsystems common to all platforms.

RemediationAI

Vendor-released patches are available: update iOS/iPadOS to 26.5 or later, macOS Sequoia to 15.7.7 or later, macOS Sonoma to 14.8.7 or later, macOS Tahoe to 26.5 or later, tvOS to 26.5 or later, visionOS to 26.5 or later, and watchOS to 26.5 or later. Patches address the race condition through additional validation mechanisms. Organizations should prioritize updates for devices handling sensitive data; however, given the low EPSS score and requirement for local malicious app installation, updates can follow standard quarterly patching cycles rather than requiring emergency deployment. As a workaround before patching, restrict installation of untrusted third-party applications and disable sideloading where possible, though this limits app functionality. Monitor device behavior for signs of unauthorized data access attempts via system logs or mobile device management (MDM) solutions.

Share

EUVD-2026-29289 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy