Apple macOS Macintosh Operating System
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apple macOS.
Recent Apple macOS Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 127115 | macOS Tahoe 26.5 - Apple Security Content | May 11, 2026 |
| 127117 | macOS Sonoma 14.8.7 - Apple Security Content | May 11, 2026 |
| 127116 | macOS Sequoia 15.7.7 - Apple Security Content | May 11, 2026 |
| 126795 | macOS Sequoia 15.7.5 - Apple Security Content | March 24, 2026 |
| 126796 | macOS Sonoma 14.8.5 - Apple Security Content | March 24, 2026 |
| 126794 | macOS Tahoe 26.4 - Apple Security Content | March 24, 2026 |
| 126604 | Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2 - Apple Security Content | March 17, 2026 |
| 126348 | macOS Tahoe 26.3 - Apple Security Content | February 11, 2026 |
| 126349 | macOS Sequoia 15.7.4 - Apple Security Content | February 11, 2026 |
| 126350 | macOS Sonoma 14.8.4 - Apple Security Content | February 11, 2026 |
Known Exploited Apple macOS Vulnerabilities
The following Apple macOS vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Apple macOS Use-After-Free Vulnerability |
Apple macOS contains a use-after-free vulnerability that could allow for privilege escalation. CVE-2019-8526 Exploit Probability: 0.3% |
April 17, 2023 |
| Apple macOS Out-of-Bounds Write Vulnerability |
macOS Monterey contains an out-of-bounds write vulnerability that could allow an application to execute arbitrary code with kernel privileges. CVE-2022-22675 Exploit Probability: 1.1% |
April 4, 2022 |
| Apple macOS Out-of-Bounds Read Vulnerability |
macOS Monterey contains an out-of-bounds read vulnerability that could allow an application to read kernel memory. CVE-2022-22674 Exploit Probability: 0.2% |
April 4, 2022 |
| Apple macOS Input Validation Error |
A malicious application may be able to bypass Privacy preferences. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-30713 Exploit Probability: 0.1% |
November 3, 2021 |
| Apple macOS Policy Subsystem Gatekeeper Bypass |
A malicious application may bypass Gatekeeper checks. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-30657 Exploit Probability: 83.1% |
November 3, 2021 |
The vulnerability CVE-2021-30657: Apple macOS Policy Subsystem Gatekeeper Bypass is in the top 1% of the currently known exploitable vulnerabilities.
Apple macOS EOL Dates
Ensure that you are using a supported version of Apple macOS. Here are some end of life, and end of support dates for Apple macOS.
| Release | EOL Date | Status |
|---|---|---|
| 26 | - |
Active
|
| 15 | - |
Active
|
| 14 | - |
Active
|
| 13 | September 15, 2025 |
EOL
Apple macOS 13 became EOL in 2025. |
| 12 | September 16, 2024 |
EOL
Apple macOS 12 became EOL in 2024. |
| 11 | February 2, 2026 |
EOL
Apple macOS 11 became EOL in 2026. |
| 10.15 | February 2, 2026 |
EOL
Apple macOS 10.15 became EOL in 2026. |
| 10.14 | October 25, 2021 |
EOL
Apple macOS 10.14 became EOL in 2021. |
| 10.13 | December 1, 2020 |
EOL
Apple macOS 10.13 became EOL in 2020. |
| 10.12 | October 1, 2019 |
EOL
Apple macOS 10.12 became EOL in 2019. |
| 10.11 | December 1, 2018 |
EOL
Apple macOS 10.11 became EOL in 2018. |
| 10.9 | December 1, 2016 |
EOL
Apple macOS 10.9 became EOL in 2016. |
| 10.8 | August 13, 2015 |
EOL
Apple macOS 10.8 became EOL in 2015. |
| 10.7 | October 4, 2012 |
EOL
Apple macOS 10.7 became EOL in 2012. |
| 10.6 | July 25, 2011 |
EOL
Apple macOS 10.6 became EOL in 2011. |
| 10.5 | August 13, 2009 |
EOL
Apple macOS 10.5 became EOL in 2009. |
| 10.4 | November 14, 2007 |
EOL
Apple macOS 10.4 became EOL in 2007. |
| 10.3 | April 15, 2005 |
EOL
Apple macOS 10.3 became EOL in 2005. |
| 10.2 | October 3, 2003 |
EOL
Apple macOS 10.2 became EOL in 2003. |
| 10.1 | June 6, 2002 |
EOL
Apple macOS 10.1 became EOL in 2002. |
By the Year
In 2026 there have been 251 vulnerabilities in Apple macOS with an average score of 6.3 out of ten. Last year, in 2025 macOS had 679 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in macOS in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.33
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 251 | 6.26 |
| 2025 | 679 | 6.59 |
| 2024 | 543 | 6.43 |
| 2023 | 426 | 6.75 |
| 2022 | 381 | 7.10 |
| 2021 | 500 | 7.01 |
| 2020 | 342 | 7.24 |
| 2019 | 305 | 7.65 |
| 2018 | 89 | 7.25 |
It may take a day or so for new macOS vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apple macOS Security Vulnerabilities
Info Leak & PrivEsc in macOS Tahoe 26.5
CVE-2026-28976
- May 11, 2026
An information leakage was addressed with additional validation. This issue is fixed in macOS Tahoe 26.5. An app may be able to gain root privileges.
Apple iOS/macOS/tvOS Local Network DoS via Memory Handling
CVE-2026-43653
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5. An attacker on the local network may be able to cause a denial-of-service.
macOS buffer overflow causes system crash; fixed Sequoia 15.7.7/Tahoe 26.5
CVE-2026-28848
7.5 - High
- May 11, 2026
A buffer overflow was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.7.7, macOS Tahoe 26.5. A remote attacker may be able to cause unexpected system termination.
Stack Overflow
Apple iOS 26.5/iPadOS 26.5 Sandbox Escape via Logic Error
CVE-2026-28995
8.8 - High
- May 11, 2026
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. A malicious app may be able to break out of its sandbox.
Improper Privilege Management
Apple OS Type Confusion (CVE-2026-28983) Remote DoS (fixed iOS 18.7.9)
CVE-2026-28983
- May 11, 2026
A type confusion issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. A remote attacker may be able to cause a denial of service.
Apple iOS/iPadOS Mem Corrupt from Malicious Image (fixed 18.7.9)
CVE-2026-28940
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5. Processing a maliciously crafted image may corrupt process memory.
Apple iOS Updated 18.7.9 Prevents Crash from Malicious Web Content
CVE-2026-28917
- May 11, 2026
The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Apple OS iOS 18.7.9 Crash via Malicious Audio Stream
CVE-2026-39869
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing an audio stream in a maliciously crafted media file may terminate the process.
Apple WebKit Memory Crash via Crafted Web Content - fixed in 26.5
CVE-2026-28901
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Apple Media Codec Memory Corruption in iOS/macOS prior 26.5
CVE-2026-28956
- May 11, 2026
A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.
Apple iOS/macOS File Parser DoS / Mem Disclosure (fixed iOS18.7.9, macOS15.7.7)
CVE-2026-28941
- May 11, 2026
The issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Tahoe 26.5. Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents.
Apple WiFi Use-After-Free DoS fixed iOS 18.7.9 / macOS 15.7.7
CVE-2026-28994
- May 11, 2026
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Wi-Fi packets.
Use-After-Free in Apple OS Kernels (iOS 18.7.9+, macOS 15.7.7+)
CVE-2026-43668
- May 11, 2026
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. A remote attacker may be able to cause unexpected system termination or corrupt kernel memory.
macOS Tahoe - Permissions Bypass in System Component (before 26.5)
CVE-2026-43652
- May 11, 2026
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.5. An app may be able to access protected user data.
Apple iOS/macOS File Processing Crash (CVE202628936)
CVE-2026-28936
- May 11, 2026
The issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. Processing a maliciously crafted file may lead to unexpected app termination.
iOS/macOS tvOS Bypass Bounds Check Crash - Fixed in 18.7.9, 26.5
CVE-2026-28977
- May 11, 2026
The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing a maliciously crafted file may lead to unexpected app termination.
CVE-2026-28961: macOS Tahoe 26.5 Physical Access Can Read Sensitive Data
CVE-2026-28961
- May 11, 2026
This issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.5. An attacker with physical access to a locked device may be able to view sensitive user information.
Apple Safari/WebKit Info Leak via Malicious Site Fixed iOS 26.5, macOS 15.7
CVE-2026-28920
- May 11, 2026
An information leakage was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Visiting a maliciously crafted website may leak sensitive data.
Apple iOS/iPadOS/macOS Data Leak via Consent Bypass (fixed 18.7.9)
CVE-2026-28993
- May 11, 2026
This issue was addressed by adding an additional prompt for user consent. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access user-sensitive data.
Apple OS 26.5 Null Ptr Deref Local DoS
CVE-2026-28985
- May 11, 2026
A null pointer dereference was addressed with improved input validation. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5. An attacker on the local network may be able to cause a denial-of-service.
Apple OS Kernel Buffer Overflow Fixed in iOS 18.7.9/Sequoia 15.7.7
CVE-2026-28897
6.2 - Medium
- May 11, 2026
A buffer overflow was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. A local user may be able to cause unexpected system termination or read kernel memory.
Stack Overflow
Apple OS iOS/macOS 26.5 Race Condition permitting sensitive data access
CVE-2026-43659
4.7 - Medium
- May 11, 2026
A race condition was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access sensitive user data.
Race Condition
UAF in Safari WebKit on macOS before 26.5 (fixed 26.5)
CVE-2026-28946
- May 11, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Tahoe 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
CSP bypass in Apple OS 26.5 (iOS, iPadOS, macOS, tvOS, visionOS, watchOS)
CVE-2026-28907
- May 11, 2026
The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
Apple OS Out-of-Bounds Read (Fixed in 26.5)
CVE-2026-43655
- May 11, 2026
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An app may be able to cause unexpected system termination or read kernel memory.
Apple macOS/iOS kernel OOBW fixed in 18.7.9
CVE-2026-28819
- May 11, 2026
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to execute arbitrary code with kernel privileges.
Apple OS Kernel Mem Disclosure via App (fixed iOS 18.7.9+; macOS 15.7.7+)
CVE-2026-43654
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to disclose kernel memory.
Apple macOS Tahoe 26.5 permission issue: app may access protected user data
CVE-2026-28930
- May 11, 2026
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.5. An app may be able to access protected user data.
Apple iOS/macOS iPadOS visionOS iframe download settings flaw before 26.5
CVE-2026-28971
- May 11, 2026
The issue was addressed with improved UI handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another websites download settings.
Apple OS 26.5+ Permissions Flaw Allows Privacy Preference Bypass
CVE-2026-28988
- May 11, 2026
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5, watchOS 26.5. An app may be able to bypass certain Privacy preferences.
Authorization Bypass in macOS Tahoe 26.4 Allows App to Access Sensitive Data
CVE-2026-20696
- May 11, 2026
An authorization issue was addressed with improved state management. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data.
Apple OS: Root Priv Escal via State Mismanage (fixed iOS 18.7.9, macOS 14.8.7)
CVE-2026-28951
7.8 - High
- May 11, 2026
An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to gain root privileges.
AuthZ
Apple OS IP Tracking via State Mgmt v<18.7.9/26.5 CVE-2026-28906
CVE-2026-28906
- May 11, 2026
This issue was addressed through improved state management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An attacker may be able to track users through their IP address.
macOS Tahoe 26.4: Arbitrary File Access CVE-2026-28910
CVE-2026-28910
- May 11, 2026
This issue was addressed with improved permissions checking. This issue is fixed in macOS Tahoe 26.4. A malicious app may be able to access arbitrary files.
Apple Safari: UAF Crash Vulnerability Fixed in 26.5
CVE-2026-28947
- May 11, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Apple OS memory corruption (fixed iOS 18.7.9, macOS 15.7.7)
CVE-2026-28992
- May 11, 2026
A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An attacker may be able to cause unexpected app termination.
Apple Safari 26.5 Crash via Malicious Web Content
CVE-2026-43658
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Apple iOS Integer Overflow (pre-18.7.9: possible crash)
CVE-2026-28952
- May 11, 2026
An integer overflow was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to cause unexpected system termination.
WebKit Crash via WebContent (iOS/iPadOS <26.5, macOS/tvOS/visionOS <26.5)
CVE-2026-28905
7.5 - High
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Buffer Overflow
macOS Root Priv Escalation via Permission Bypass (fixed 15.7.7, 14.8.7, 26.4)
CVE-2026-28840
7.8 - High
- May 11, 2026
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.4. An app may be able to gain root privileges.
Improper Privilege Management
Apple iOS 26.5 Buffer Overflow via Malicious Image Processing
CVE-2026-43661
7.5 - High
- May 11, 2026
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. Processing a maliciously crafted image may corrupt process memory.
Stack Overflow
Apple OS 26.5: Unexpected Process Crash via Malicious Web Content (Fix)
CVE-2026-28913
7.5 - High
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Buffer Overflow
Apple OS 26.5 Memory Handling Crash on Malicious Web Content
CVE-2026-28944
7.5 - High
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Buffer Overflow
Apple OS Logging Leak (kernel state) pre iOS 18.7.9 / macOS 14.8.7
CVE-2026-28987
7.5 - High
- May 11, 2026
A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An app may be able to leak sensitive kernel state.
Insertion of Sensitive Information into Log File
Apple OSes: OOB Read DoS Before 26.5 (Fixed in 26.5)
CVE-2026-28991
- May 11, 2026
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to cause a denial-of-service.
Apple Mail Remote Image Leakage in Lockdown Mode Fixed iOS 18.7.9/macOS 15.7.7/14.8.7/26.5
CVE-2026-28929
7.5 - High
- May 11, 2026
A logic issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. Replying to an email could display remote images in Mail in Lockdown Mode.
Incorrect Comparison Logic Granularity
Apple iOS/macOS 26.5 Use-After-Free in Web Rendering
CVE-2026-28883
7.5 - High
- May 11, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Dangling pointer
Apple OS Kernel OOB Write (iOS 18.7.9/iPadOS 18.7.9, macOS 15.7.7)
CVE-2026-28972
- May 11, 2026
An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to cause unexpected system termination or write kernel memory.
macOS Kernel Buffer Overflow (Sequoia <15.7.7, Sonoma <14.8.7)
CVE-2026-28925
7.5 - High
- May 11, 2026
A buffer overflow was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to cause unexpected system termination or write kernel memory.
Classic Buffer Overflow
Apple Keychain State Modification Local Attack (CVE-2026-28860)
CVE-2026-28860
7.5 - High
- May 11, 2026
The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. A local attacker may be able to modify the state of the Keychain.
Improper Input Validation
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apple macOS or by Apple? Click the Watch button to subscribe.
