Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
A race condition was addressed with additional validation. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to access sensitive user data.
AnalysisAI
Race condition in Apple operating systems allows local apps to access sensitive user data without authorization. Affects iOS and iPadOS versions below 26.5, macOS Sequoia 15.7.7, Sonoma 14.8.7, Tahoe 26.5, tvOS, visionOS, and watchOS versions below 26.5. Requires local app execution and user interaction. CVSS 5.5 reflects high confidentiality impact but low exploitation likelihood (EPSS 0.02%, 7th percentile).
Technical ContextAI
The vulnerability stems from a race condition (CWE-362) in Apple's operating system kernel or framework handling of user data access controls. Race conditions occur when multiple processes or threads access shared resources without proper synchronization, allowing a window of opportunity where access checks can be bypassed. In this case, the race condition enables a locally installed application to read sensitive user information during the brief moment when concurrent operations fail to properly enforce data isolation. The issue affects Apple's unified kernel architecture spanning iOS, macOS variants (Sequoia, Sonoma, Tahoe), tvOS, visionOS, and watchOS, indicating the vulnerability likely exists in shared core system libraries or memory management subsystems common to all platforms.
RemediationAI
Vendor-released patches are available: update iOS/iPadOS to 26.5 or later, macOS Sequoia to 15.7.7 or later, macOS Sonoma to 14.8.7 or later, macOS Tahoe to 26.5 or later, tvOS to 26.5 or later, visionOS to 26.5 or later, and watchOS to 26.5 or later. Patches address the race condition through additional validation mechanisms. Organizations should prioritize updates for devices handling sensitive data; however, given the low EPSS score and requirement for local malicious app installation, updates can follow standard quarterly patching cycles rather than requiring emergency deployment. As a workaround before patching, restrict installation of untrusted third-party applications and disable sideloading where possible, though this limits app functionality. Monitor device behavior for signs of unauthorized data access attempts via system logs or mobile device management (MDM) solutions.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29289
GHSA-xp43-g5gh-f86x