Apple iOS The iOS Operating System used by iPhones.
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apple iOS.
Recent Apple iOS Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 127110 | iOS 26.5 and iPadOS 26.5 - Apple Security Content | May 11, 2026 |
| 127113 | iOS 16.7.16 and iPadOS 16.7.16 - Apple Security Content | May 11, 2026 |
| 127114 | iOS 15.8.8 and iPadOS 15.8.8 - Apple Security Content | May 11, 2026 |
| 127111 | iOS 18.7.9 and iPadOS 18.7.9 - Apple Security Content | May 11, 2026 |
| 127002 | iOS 26.4.2 and iPadOS 26.4.2 - Apple Security Content | April 22, 2026 |
| 127003 | iOS 18.7.8 and iPadOS 18.7.8 - Apple Security Content | April 22, 2026 |
| 126792 | iOS 26.4 and iPadOS 26.4 - Apple Security Content | March 24, 2026 |
| 126793 | iOS 18.7.7 and iPadOS 18.7.7 - Apple Security Content | March 24, 2026 |
| 126604 | Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2 - Apple Security Content | March 17, 2026 |
| 126632 | iOS 15.8.7 and iPadOS 15.8.7 - Apple Security Content | March 11, 2026 |
Known Exploited Apple iOS Vulnerabilities
The following Apple iOS vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Apple iOS Type Confusion Vulnerability |
Apple iOS contains a type confusion vulnerability when processing maliciously crafted web content leading to code execution. CVE-2022-42856 Exploit Probability: 0.2% |
December 14, 2022 |
| Apple iOS Information Disclosure Vulnerability |
The Apple iOS kernel allows attackers to obtain sensitive information from memory via a crafted application. CVE-2016-4655 Exploit Probability: 81.7% |
May 24, 2022 |
| Apple iOS Memory Corruption Vulnerability |
A memory corruption vulnerability in Apple iOS kernel allows attackers to execute code in a privileged context or cause a denial-of-service via a crafted application. CVE-2016-4656 Exploit Probability: 66.7% |
May 24, 2022 |
| Apple iOS Webkit Memory Corruption Vulnerability |
WebKit in Apple iOS contains a memory corruption vulnerability which allows attackers to execute remote code or cause a denial-of-service via a crafted web site. CVE-2016-4657 Exploit Probability: 79.4% |
May 24, 2022 |
| Apple iOS Memory Corruption Vulnerability |
Apple iOS contains a memory corruption vulnerability which could allow an attacker to perform remote code execution. CVE-2019-7287 Exploit Probability: 4.9% |
May 23, 2022 |
| Apple iOS "FORCEDENTRY" Remote Code Execution Vulnerability |
An integer overflow was addressed with improved input validation vulnerability affecting iOS devices that allows for remote code execution. CVE-2021-30860 Exploit Probability: 70.6% |
November 3, 2021 |
| Apple WebKit Browser Engine Use-After-Free Vulnerability |
Use after free issue. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-30762 Exploit Probability: 0.0% |
November 3, 2021 |
| Apple iOS Privilege Escalation and Code Execution Chain |
A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-1782 Exploit Probability: 5.9% |
November 3, 2021 |
| Apple iOS Privilege Escalation and Code Execution Chain |
A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-1870 Exploit Probability: 1.2% |
November 3, 2021 |
| Apple iOS Privilege Escalation and Code Execution Chain |
A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-1871 Exploit Probability: 0.9% |
November 3, 2021 |
| Apple iOS Webkit Browser Engine XSS |
Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-1879 Exploit Probability: 0.8% |
November 3, 2021 |
| Apple iOS Webkit Storage Use-After-Free Remote Code Execution Vulnerability |
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-30661 Exploit Probability: 0.1% |
November 3, 2021 |
| Apple iOS12.x Buffer Overflow |
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-30666 Exploit Probability: 1.5% |
November 3, 2021 |
| Apple WebKit Browser Engine Memory Corruption Vulnerability |
Memory corruption issue. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-30761 Exploit Probability: 0.5% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 2 known exploited Apple iOS vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
Apple iOS EOL Dates
Ensure that you are using a supported version of Apple iOS. Here are some end of life, and end of support dates for Apple iOS.
| Release | EOL Date | Status |
|---|---|---|
| 26 | - |
Active
|
| 26 | - |
Active
|
| 18 | April 22, 2026 |
EOL
Apple iOS 18 became EOL in 2026 and supported ended in 2025 |
| 18 | April 22, 2026 |
EOL
Apple iOS 18 became EOL in 2026 and supported ended in 2025 |
| 17 | November 19, 2024 |
EOL
Apple iOS 17 became EOL in 2024 and supported ended in 2024 |
| 17 | November 19, 2024 |
EOL
Apple iOS 17 became EOL in 2024 and supported ended in 2024 |
| 16 | March 31, 2025 |
EOL
Apple iOS 16 became EOL in 2025 and supported ended in 2023 |
| 16 | March 31, 2025 |
EOL
Apple iOS 16 became EOL in 2025 and supported ended in 2023 |
| 15 | March 31, 2025 |
EOL
Apple iOS 15 became EOL in 2025 and supported ended in 2022 |
| 15 | March 31, 2025 |
EOL
Apple iOS 15 became EOL in 2025 and supported ended in 2022 |
| 14 | October 1, 2021 |
EOL
Apple iOS 14 became EOL in 2021 and supported ended in 2021 |
| 14 | October 1, 2021 |
EOL
Apple iOS 14 became EOL in 2021 and supported ended in 2021 |
| 13 | September 16, 2020 |
EOL
Apple iOS 13 became EOL in 2020 and supported ended in 2020 |
| 13 | September 16, 2020 |
EOL
Apple iOS 13 became EOL in 2020 and supported ended in 2020 |
| 12 | January 23, 2023 |
EOL
Apple iOS 12 became EOL in 2023 and supported ended in 2019 |
| 12 | January 23, 2023 |
EOL
Apple iOS 12 became EOL in 2023 and supported ended in 2019 |
| 11 | October 8, 2018 |
EOL
Apple iOS 11 became EOL in 2018 and supported ended in 2018 |
| 11 | October 8, 2018 |
EOL
Apple iOS 11 became EOL in 2018 and supported ended in 2018 |
| 10 | September 26, 2017 |
EOL
Apple iOS 10 became EOL in 2017 and supported ended in 2017 |
| 10 | September 26, 2017 |
EOL
Apple iOS 10 became EOL in 2017 and supported ended in 2017 |
By the Year
In 2026 there have been 162 vulnerabilities in Apple iOS with an average score of 6.0 out of ten. Last year, in 2025 iOS had 356 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in iOS in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.46
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 162 | 5.97 |
| 2025 | 356 | 6.42 |
| 2024 | 325 | 6.20 |
| 2023 | 273 | 6.77 |
| 2022 | 244 | 7.09 |
| 2021 | 383 | 6.93 |
| 2020 | 294 | 6.98 |
| 2019 | 353 | 7.79 |
| 2018 | 100 | 7.39 |
It may take a day or so for new iOS vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apple iOS Security Vulnerabilities
iOS/iPadOS resource exhaustion (CVE-2026-28872) fixed in 18.7.9/26.4
CVE-2026-28872
- May 11, 2026
A resource exhaustion issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4. A remote attacker may be able to cause a denial-of-service.
Apple iOS/macOS/tvOS Local Network DoS via Memory Handling
CVE-2026-43653
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5. An attacker on the local network may be able to cause a denial-of-service.
Apple iOS 26.5/iPadOS 26.5 Sandbox Escape via Logic Error
CVE-2026-28995
- May 11, 2026
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. A malicious app may be able to break out of its sandbox.
Apple OS Type Confusion (CVE-2026-28983) Remote DoS (fixed iOS 18.7.9)
CVE-2026-28983
- May 11, 2026
A type confusion issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. A remote attacker may be able to cause a denial of service.
Apple iOS/iPadOS Mem Corrupt from Malicious Image (fixed 18.7.9)
CVE-2026-28940
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5. Processing a maliciously crafted image may corrupt process memory.
Apple iOS Updated 18.7.9 Prevents Crash from Malicious Web Content
CVE-2026-28917
- May 11, 2026
The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Apple OS iOS 18.7.9 Crash via Malicious Audio Stream
CVE-2026-39869
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing an audio stream in a maliciously crafted media file may terminate the process.
Apple WebKit Memory Crash via Crafted Web Content - fixed in 26.5
CVE-2026-28901
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Apple Media Codec Memory Corruption in iOS/macOS prior 26.5
CVE-2026-28956
- May 11, 2026
A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory.
Apple iOS/macOS File Parser DoS / Mem Disclosure (fixed iOS18.7.9, macOS15.7.7)
CVE-2026-28941
- May 11, 2026
The issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Tahoe 26.5. Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents.
Apple iOS/iPadOS Camera Metadata Leak Enables Capture (pre 18.7.9/26.5)
CVE-2026-28957
- May 11, 2026
An issue with app access to camera metadata was addressed with improved logic. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, visionOS 26.5. An app may be able to capture a user's screen.
Apple WiFi Use-After-Free DoS fixed iOS 18.7.9 / macOS 15.7.7
CVE-2026-28994
- May 11, 2026
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An attacker in a privileged network position may be able to perform denial-of-service attack using crafted Wi-Fi packets.
Use-After-Free in Apple OS Kernels (iOS 18.7.9+, macOS 15.7.7+)
CVE-2026-43668
- May 11, 2026
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. A remote attacker may be able to cause unexpected system termination or corrupt kernel memory.
Apple iOS/macOS File Processing Crash (CVE202628936)
CVE-2026-28936
- May 11, 2026
The issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. Processing a maliciously crafted file may lead to unexpected app termination.
Apple iOS Privacy Report Logging Circumvention (Fixed in 18.7.9/26.4)
CVE-2026-28873
- May 11, 2026
This issue was addressed with additional entitlement checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4. An app may be able to circumvent App Privacy Report logging.
iOS/macOS tvOS Bypass Bounds Check Crash - Fixed in 18.7.9, 26.5
CVE-2026-28977
- May 11, 2026
The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing a maliciously crafted file may lead to unexpected app termination.
Apple Safari/WebKit Info Leak via Malicious Site Fixed iOS 26.5, macOS 15.7
CVE-2026-28920
- May 11, 2026
An information leakage was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Visiting a maliciously crafted website may leak sensitive data.
Apple iOS/iPadOS/macOS Data Leak via Consent Bypass (fixed 18.7.9)
CVE-2026-28993
- May 11, 2026
This issue was addressed by adding an additional prompt for user consent. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access user-sensitive data.
Apple OS 26.5 Null Ptr Deref Local DoS
CVE-2026-28985
- May 11, 2026
A null pointer dereference was addressed with improved input validation. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5. An attacker on the local network may be able to cause a denial-of-service.
Apple OS Kernel Buffer Overflow Fixed in iOS 18.7.9/Sequoia 15.7.7
CVE-2026-28897
- May 11, 2026
A buffer overflow was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. A local user may be able to cause unexpected system termination or read kernel memory.
Apple OS iOS/macOS 26.5 Race Condition permitting sensitive data access
CVE-2026-43659
- May 11, 2026
A race condition was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access sensitive user data.
CSP bypass in Apple OS 26.5 (iOS, iPadOS, macOS, tvOS, visionOS, watchOS)
CVE-2026-28907
- May 11, 2026
The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
Apple OS Out-of-Bounds Read (Fixed in 26.5)
CVE-2026-43655
- May 11, 2026
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An app may be able to cause unexpected system termination or read kernel memory.
Apple macOS/iOS kernel OOBW fixed in 18.7.9
CVE-2026-28819
- May 11, 2026
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to execute arbitrary code with kernel privileges.
Apple OS Kernel Mem Disclosure via App (fixed iOS 18.7.9+; macOS 15.7.7+)
CVE-2026-43654
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to disclose kernel memory.
Apple OS 26.5+ Permissions Flaw Allows Privacy Preference Bypass
CVE-2026-28988
- May 11, 2026
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5, watchOS 26.5. An app may be able to bypass certain Privacy preferences.
Apple iOS/macOS iPadOS visionOS iframe download settings flaw before 26.5
CVE-2026-28971
- May 11, 2026
The issue was addressed with improved UI handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another websites download settings.
Apple OS: Root Priv Escal via State Mismanage (fixed iOS 18.7.9, macOS 14.8.7)
CVE-2026-28951
- May 11, 2026
An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to gain root privileges.
Apple OS IP Tracking via State Mgmt v<18.7.9/26.5 CVE-2026-28906
CVE-2026-28906
- May 11, 2026
This issue was addressed through improved state management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An attacker may be able to track users through their IP address.
Apple Safari: UAF Crash Vulnerability Fixed in 26.5
CVE-2026-28947
- May 11, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Apple Safari 26.5 Crash via Malicious Web Content
CVE-2026-43658
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.
Apple OS memory corruption (fixed iOS 18.7.9, macOS 15.7.7)
CVE-2026-28992
- May 11, 2026
A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An attacker may be able to cause unexpected app termination.
Apple iOS Integer Overflow (pre-18.7.9: possible crash)
CVE-2026-28952
- May 11, 2026
An integer overflow was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to cause unexpected system termination.
WebKit Crash via WebContent (iOS/iPadOS <26.5, macOS/tvOS/visionOS <26.5)
CVE-2026-28905
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Apple iOS 26.5 Buffer Overflow via Malicious Image Processing
CVE-2026-43661
- May 11, 2026
A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. Processing a maliciously crafted image may corrupt process memory.
Apple OS 26.5: Unexpected Process Crash via Malicious Web Content (Fix)
CVE-2026-28913
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Apple OS 26.5 Memory Handling Crash on Malicious Web Content
CVE-2026-28944
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Apple OSes: OOB Read DoS Before 26.5 (Fixed in 26.5)
CVE-2026-28991
- May 11, 2026
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to cause a denial-of-service.
Apple OS Logging Leak (kernel state) pre iOS 18.7.9 / macOS 14.8.7
CVE-2026-28987
- May 11, 2026
A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An app may be able to leak sensitive kernel state.
Apple Mail Remote Image Leakage in Lockdown Mode Fixed iOS 18.7.9/macOS 15.7.7/14.8.7/26.5
CVE-2026-28929
- May 11, 2026
A logic issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. Replying to an email could display remote images in Mail in Lockdown Mode.
Apple iOS/macOS 26.5 Use-After-Free in Web Rendering
CVE-2026-28883
- May 11, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Inconsistent UI State Allows App Access to Sensitive Data iOS 26.5
CVE-2026-28964
- May 11, 2026
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 26.5 and iPadOS 26.5, visionOS 26.5. An app may be able to access sensitive user data.
Apple OS Kernel OOB Write (iOS 18.7.9/iPadOS 18.7.9, macOS 15.7.7)
CVE-2026-28972
- May 11, 2026
An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to cause unexpected system termination or write kernel memory.
Apple iOS 26.5 Privacy LCK View Vulnerability
CVE-2026-28965
- May 11, 2026
A privacy issue was addressed with improved checks. This issue is fixed in iOS 26.5 and iPadOS 26.5. A user may be able to view restricted content from the lock screen.
Apple OS iOS/macOS OOB Write in File Parser, fixed iOS 18.7.9
CVE-2026-43656
- May 11, 2026
An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. Parsing a maliciously crafted file may lead to an unexpected app termination.
Apple OS Image Processing Memory Corruption (iOS 26.5, macOS Sequoia 15.7.7)
CVE-2026-28990
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing a maliciously crafted image may corrupt process memory.
Race Condition in Apple OS Leads to Unexpected Termination (fixed iOS 18.7.9)
CVE-2026-28986
- May 11, 2026
A race condition was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An app may be able to cause unexpected system termination.
Apple iOS Use-After-Free Pre-18.7.9
CVE-2026-28969
- May 11, 2026
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to cause unexpected system termination.
Apple WebKit CSP Bypass before 26.5 (iOS 18.7.9, macOS 26.5)
CVE-2026-43660
- May 11, 2026
A validation issue was addressed with improved logic. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
Apple WebKit MemCorrupt Crash (CVE-2026-28904) fixed iOS 18.7.9+
CVE-2026-28904
- May 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
