Apple iOS The iOS Operating System used by iPhones.
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apple iOS.
Recent Apple iOS Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 126792 | iOS 26.4 and iPadOS 26.4 - Apple Security Content | March 24, 2026 |
| 126793 | iOS 18.7.7 and iPadOS 18.7.7 - Apple Security Content | March 24, 2026 |
| 126604 | Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2 - Apple Security Content | March 17, 2026 |
| 126632 | iOS 15.8.7 and iPadOS 15.8.7 - Apple Security Content | March 11, 2026 |
| 126646 | iOS 16.7.15 and iPadOS 16.7.15 - Apple Security Content | March 11, 2026 |
| 126346 | iOS 26.3 and iPadOS 26.3 - Apple Security Content | February 11, 2026 |
| 126347 | iOS 18.7.5 and iPadOS 18.7.5 - Apple Security Content | February 11, 2026 |
| 125884 | iOS 26.2 and iPadOS 26.2 - Apple Security Content | December 12, 2025 |
| 125885 | iOS 18.7.3 and iPadOS 18.7.3 - Apple Security Content | December 12, 2025 |
| 125633 | iOS 18.7.2 and iPadOS 18.7.2 - Apple Security Content | November 5, 2025 |
Known Exploited Apple iOS Vulnerabilities
The following Apple iOS vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Apple iOS Type Confusion Vulnerability |
Apple iOS contains a type confusion vulnerability when processing maliciously crafted web content leading to code execution. CVE-2022-42856 Exploit Probability: 0.2% |
December 14, 2022 |
| Apple iOS Information Disclosure Vulnerability |
The Apple iOS kernel allows attackers to obtain sensitive information from memory via a crafted application. CVE-2016-4655 Exploit Probability: 81.7% |
May 24, 2022 |
| Apple iOS Memory Corruption Vulnerability |
A memory corruption vulnerability in Apple iOS kernel allows attackers to execute code in a privileged context or cause a denial-of-service via a crafted application. CVE-2016-4656 Exploit Probability: 66.7% |
May 24, 2022 |
| Apple iOS Webkit Memory Corruption Vulnerability |
WebKit in Apple iOS contains a memory corruption vulnerability which allows attackers to execute remote code or cause a denial-of-service via a crafted web site. CVE-2016-4657 Exploit Probability: 77.1% |
May 24, 2022 |
| Apple iOS Memory Corruption Vulnerability |
Apple iOS contains a memory corruption vulnerability which could allow an attacker to perform remote code execution. CVE-2019-7287 Exploit Probability: 4.9% |
May 23, 2022 |
| Apple iOS "FORCEDENTRY" Remote Code Execution Vulnerability |
An integer overflow was addressed with improved input validation vulnerability affecting iOS devices that allows for remote code execution. CVE-2021-30860 Exploit Probability: 70.6% |
November 3, 2021 |
| Apple WebKit Browser Engine Use-After-Free Vulnerability |
Use after free issue. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-30762 Exploit Probability: 0.0% |
November 3, 2021 |
| Apple iOS Privilege Escalation and Code Execution Chain |
A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-1782 Exploit Probability: 5.9% |
November 3, 2021 |
| Apple iOS Privilege Escalation and Code Execution Chain |
A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-1870 Exploit Probability: 1.2% |
November 3, 2021 |
| Apple iOS Privilege Escalation and Code Execution Chain |
A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-1871 Exploit Probability: 0.8% |
November 3, 2021 |
| Apple iOS Webkit Browser Engine XSS |
Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-1879 Exploit Probability: 0.8% |
November 3, 2021 |
| Apple iOS Webkit Storage Use-After-Free Remote Code Execution Vulnerability |
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-30661 Exploit Probability: 0.1% |
November 3, 2021 |
| Apple iOS12.x Buffer Overflow |
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-30666 Exploit Probability: 1.7% |
November 3, 2021 |
| Apple WebKit Browser Engine Memory Corruption Vulnerability |
Memory corruption issue. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-30761 Exploit Probability: 0.3% |
November 3, 2021 |
The vulnerability CVE-2016-4655: Apple iOS Information Disclosure Vulnerability is in the top 1% of the currently known exploitable vulnerabilities. 3 known exploited Apple iOS vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
Apple iOS EOL Dates
Ensure that you are using a supported version of Apple iOS. Here are some end of life, and end of support dates for Apple iOS.
| Release | EOL Date | Status |
|---|---|---|
| 26 | - |
Active
|
| 26 | - |
Active
|
| 18 | - |
Active
|
| 18 | - |
Active
|
| 17 | November 19, 2024 |
EOL
Apple iOS 17 became EOL in 2024 and supported ended in 2024 |
| 17 | November 19, 2024 |
EOL
Apple iOS 17 became EOL in 2024 and supported ended in 2024 |
| 16 | March 31, 2025 |
EOL
Apple iOS 16 became EOL in 2025 and supported ended in 2023 |
| 16 | March 31, 2025 |
EOL
Apple iOS 16 became EOL in 2025 and supported ended in 2023 |
| 15 | March 31, 2025 |
EOL
Apple iOS 15 became EOL in 2025 and supported ended in 2022 |
| 15 | March 31, 2025 |
EOL
Apple iOS 15 became EOL in 2025 and supported ended in 2022 |
| 14 | October 1, 2021 |
EOL
Apple iOS 14 became EOL in 2021 and supported ended in 2021 |
| 14 | October 1, 2021 |
EOL
Apple iOS 14 became EOL in 2021 and supported ended in 2021 |
| 13 | September 16, 2020 |
EOL
Apple iOS 13 became EOL in 2020 and supported ended in 2020 |
| 13 | September 16, 2020 |
EOL
Apple iOS 13 became EOL in 2020 and supported ended in 2020 |
| 12 | January 23, 2023 |
EOL
Apple iOS 12 became EOL in 2023 and supported ended in 2019 |
| 12 | January 23, 2023 |
EOL
Apple iOS 12 became EOL in 2023 and supported ended in 2019 |
| 11 | October 8, 2018 |
EOL
Apple iOS 11 became EOL in 2018 and supported ended in 2018 |
| 11 | October 8, 2018 |
EOL
Apple iOS 11 became EOL in 2018 and supported ended in 2018 |
| 10 | September 26, 2017 |
EOL
Apple iOS 10 became EOL in 2017 and supported ended in 2017 |
| 10 | September 26, 2017 |
EOL
Apple iOS 10 became EOL in 2017 and supported ended in 2017 |
By the Year
In 2026 there have been 91 vulnerabilities in Apple iOS with an average score of 6.0 out of ten. Last year, in 2025 iOS had 354 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in iOS in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.43
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 91 | 5.97 |
| 2025 | 354 | 6.40 |
| 2024 | 325 | 6.15 |
| 2023 | 273 | 6.77 |
| 2022 | 244 | 7.09 |
| 2021 | 383 | 6.93 |
| 2020 | 294 | 6.98 |
| 2019 | 353 | 7.79 |
| 2018 | 100 | 7.39 |
It may take a day or so for new iOS vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apple iOS Security Vulnerabilities
Apple Keychain Local Access via Permission Bypass (iOS 18.7.7, macOS 15.7.5)
CVE-2026-28864
3.3 - Low
- March 25, 2026
This issue was addressed with improved permissions checking. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. A local attacker may gain access to user's Keychain items.
AuthZ
Apple Safari/OS 26.4: State Mgmt Auth Flaw Allows User Fingerprinting
CVE-2026-20691
4.3 - Medium
- March 25, 2026
An authorization issue was addressed with improved state management. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. A maliciously crafted webpage may be able to fingerprint the user.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
Apple OS 26.4 App Enumeration Permissions Issue
CVE-2026-28833
6.2 - Medium
- March 25, 2026
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. An app may be able to enumerate a user's installed apps.
Apple OS Log Data Leakage Fix 18.7.7/26.3
CVE-2026-20668
5.5 - Medium
- March 25, 2026
A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.3, visionOS 26.3. An app may be able to access sensitive user data.
Insertion of Sensitive Information into Log File
Apple OS (iOS/macOS) use-after-free CVE-2026-20687 (pre 18.7.7)
CVE-2026-20687
7.1 - High
- March 25, 2026
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, tvOS 26.4, watchOS 26.4. An app may be able to cause unexpected system termination or write kernel memory.
Dangling pointer
iOS Activation Lock Bypass via Path Handling (pre-18.7.7/iPadOS 18.7.7)
CVE-2025-43534
6.8 - Medium
- March 25, 2026
A path handling issue was addressed with improved validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.2 and iPadOS 26.2. A user with physical access to an iOS device may be able to bypass Activation Lock.
Authorization
Apple iOS Kernel Memory Disclosure via Logging Redaction Flaw (before 18.7.7)
CVE-2026-28868
5.5 - Medium
- March 25, 2026
A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. An app may be able to disclose kernel memory.
Insertion of Sensitive Information into Log File
Apple Safari & OS 26.4 Crash due to Memory Handling Exploit
CVE-2026-20664
4.3 - Medium
- March 25, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may lead to an unexpected process crash.
Memory Corruption
Apple iOS/iPadOS Stack Overflow Fixed in 18.7.7 & 26.4
CVE-2026-28852
5.5 - Medium
- March 25, 2026
A stack overflow was addressed with improved input validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to cause a denial-of-service.
Improper Input Validation
Apple Safari 26.3: CSP Bypass via State Management Flaw
CVE-2026-20665
6.5 - Medium
- March 25, 2026
This issue was addressed through improved state management. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.
Protection Mechanism Failure
Apple OS Null Pointer Deref Causing DoS Fixed in v18.7.7 & 26.4
CVE-2026-28886
5.9 - Medium
- March 25, 2026
A null pointer dereference was addressed with improved input validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. A user in a privileged network position may be able to cause a denial-of-service.
NULL Pointer Dereference
Apple OS Audio Stream OOB Bounds Check (fixed 18.7.7/15.7.5)
CVE-2026-20690
6.5 - Medium
- March 25, 2026
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. Processing an audio stream in a maliciously crafted media file may terminate the process.
Out-of-bounds Read
Apple OS Auth State Management Flaw (iOS 18.7.7, macOS 15.7.5-26.4)
CVE-2026-28865
7.5 - High
- March 25, 2026
An authentication issue was addressed with improved state management. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An attacker in a privileged network position may be able to intercept network traffic.
AuthZ
Apple iOS 18.7.7 - Sensitive Data Leak via App Enumeration Fix
CVE-2026-28878
6.5 - Medium
- March 25, 2026
A privacy issue was addressed by removing sensitive data. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps.
Information Disclosure
iOS 26.3 App Termination Vulnerability (CVE-2026-28874)
CVE-2026-28874
7.5 - High
- March 25, 2026
The issue was addressed with improved checks. This issue is fixed in iOS 26.4 and iPadOS 26.4. A remote attacker may cause an unexpected app termination.
Resource Exhaustion
Buffer Overflow in iOS 26.4 Kernel Remote Crash or Memory Corruption
CVE-2026-28858
9.8 - Critical
- March 25, 2026
A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 26.4 and iPadOS 26.4. A remote user may be able to cause unexpected system termination or corrupt kernel memory.
Classic Buffer Overflow
Apple Safari 26.4: Sandbox Escape via Memory Handling
CVE-2026-28859
4.3 - Medium
- March 25, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. A malicious website may be able to process restricted web content outside the sandbox.
Dangling pointer
iOS/iPadOS 26.x Buffer Overflow causing DoS
CVE-2026-28875
7.5 - High
- March 25, 2026
A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 26.4 and iPadOS 26.4. A remote attacker may be able to cause a denial-of-service.
Classic Buffer Overflow
Apple OS Type Confusion Vulnerability (fixed iOS 26.4, macOS 15.7.5, etc.)
CVE-2026-28822
6.2 - Medium
- March 25, 2026
A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An attacker may be able to cause unexpected app termination.
Object Type Confusion
Apple OS Fingerprinting via Permissions Flaw before 26.4
CVE-2026-28863
6.5 - Medium
- March 25, 2026
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 26.4 and iPadOS 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to fingerprint the user.
Apple WebKit use-after-free before iOS 18.7.7 crash
CVE-2026-28879
6.5 - Medium
- March 25, 2026
A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. Processing maliciously crafted web content may lead to an unexpected process crash.
Dangling pointer
Apple OS App Enumeration (CVE-2026-28880) Fixed in iOS 18.7.7 & macOS 15.7.5
CVE-2026-28880
6.5 - Medium
- March 25, 2026
A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4. An app may be able to enumerate a user's installed apps.
Authorization
Apple iOS/iPadOS/visionOS/watchOS: Pre-26.4 Auth Flaw Exposes Data
CVE-2026-28856
4.6 - Medium
- March 25, 2026
The issue was addressed with improved authentication. This issue is fixed in iOS 26.4 and iPadOS 26.4, visionOS 26.4, watchOS 26.4. An attacker with physical access to a locked device may be able to view sensitive user information.
Authorization
iOS 26.4 Unauth Access to Protected Apps via Stolen Device Protection
CVE-2026-28895
4.6 - Medium
- March 25, 2026
The issue was addressed with improved checks. This issue is fixed in iOS 26.4 and iPadOS 26.4. An attacker with physical access to an iOS device with Stolen Device Protection enabled may be able to access biometrics-gated Protected Apps with the passcode.
Authorization
Apple iOS use-after-free fixed in 18.7.7/26.3
CVE-2026-20637
6.2 - Medium
- March 25, 2026
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. An app may be able to cause unexpected system termination.
Dangling pointer
iOS/macOS Path Validation Flaw Enabling Sensitive Data Access (CVE-2026-28876)
CVE-2026-28876
7.5 - High
- March 25, 2026
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4. An app may be able to access sensitive user data.
Authorization
Apple Safari 26.4: State Mgmt Logic Leak Allows Cross-Origin Script Handler
CVE-2026-28861
4.3 - Medium
- March 25, 2026
A logic issue was addressed with improved state management. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. A malicious website may be able to access script message handlers intended for other origins.
Apple OS Auth Flaw via State Management (Fixed iOS 26.4, macOS 15.7.5)
CVE-2026-28877
5.5 - Medium
- March 25, 2026
An authorization issue was addressed with improved state management. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data.
Information Disclosure
Apple OS File Parser Crash, fixed 18.7.7
CVE-2026-20657
6.5 - Medium
- March 25, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5. Parsing a maliciously crafted file may lead to an unexpected app termination.
Buffer Overflow
Apple OS Kernel Memory Corruption via Improper Handling (before 26.4)
CVE-2026-20698
5.5 - Medium
- March 25, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to cause unexpected system termination or corrupt kernel memory.
Buffer Overflow
App Enumeration Vulnerability in Apple iOS 26.4 (enumerating installed apps)
CVE-2026-28882
4 - Medium
- March 25, 2026
This issue was addressed with improved checks. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to enumerate a user's installed apps.
Denial-of-Service vulnerability in Apple OSes via input validation, fixed 26.4
CVE-2026-28894
7.5 - High
- March 25, 2026
A denial-of-service issue was addressed with improved input validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. A remote attacker may be able to cause a denial-of-service.
Improper Input Validation
Safari & OS memory handling flaw triggers process crash with malicious web content
CVE-2026-28857
6.5 - Medium
- March 25, 2026
The issue was addressed with improved memory handling. This issue is fixed in Safari 26.4, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may lead to an unexpected process crash.
Out-of-bounds Read
Apple OS InfoLeak Vulnerability (iOS/macOS...) before 26.4
CVE-2026-28870
5.5 - Medium
- March 25, 2026
An information leakage was addressed with additional validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to access sensitive user data.
Symlink Validation Bug in Apple iOS/iPadOS & MacOS (before 18.7.7/14.8.5)
CVE-2026-28866
6.2 - Medium
- March 25, 2026
This issue was addressed with improved validation of symlinks. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access sensitive user data.
insecure temporary file
Apple iOS/iPadOS/macOS VisionOS Path Validation Flaw Fixed 26.4/15.7.5/14.8.5
CVE-2026-20688
9.3 - Critical
- March 25, 2026
A path handling issue was addressed with improved validation. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, visionOS 26.4. An app may be able to break out of its sandbox.
Directory traversal
Apple iOS/iPadOS 18.7+: Kernel State Leak via Improper Auth
CVE-2026-28867
6.2 - Medium
- March 25, 2026
This issue was addressed with improved authentication. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. An app may be able to leak sensitive kernel state.
Apple Mail privacy flaw: Hide IP Address ineffective pre-iOS 26.4/macOS 14.8.5
CVE-2026-20692
5.3 - Medium
- March 25, 2026
A privacy issue was addressed with improved handling of user preferences. This issue is fixed in iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. "Hide IP Address" and "Block All Remote Content" may not apply to all mail content.
Apple Safari XSS from Logic Issue (fixed 26.4)
CVE-2026-28871
4.3 - Medium
- March 25, 2026
A logic issue was addressed with improved checks. This issue is fixed in Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4. Visiting a maliciously crafted website may lead to a cross-site scripting attack.
XSS
Cross-Origin Navigation API Bypass (iOS/macOS) Fixed in 26.3.1/2
CVE-2026-20643
5.4 - Medium
- March 17, 2026
A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously crafted web content may bypass Same Origin Policy.
Improper Input Validation
Safari Memory Corro. (CVE-2023-43010) in iOS/macOS <17.2 Fixed
CVE-2023-43010
8.8 - High
- March 12, 2026
The issue was addressed with improved memory handling. This issue is fixed in iOS 17.2 and iPadOS 17.2, macOS Sonoma 14.2, Safari 17.2, iOS 16.7.15 and iPadOS 16.7.15, iOS 15.8.7 and iPadOS 15.8.7. Processing maliciously crafted web content may lead to memory corruption.
Apple Safari 26.3 WebKit crash via memory handling flaw
CVE-2026-20644
6.5 - Medium
- February 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in macOS Tahoe 26.3, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3, Safari 26.3. Processing maliciously crafted web content may lead to an unexpected process crash.
Buffer Overflow
Safari DoS via Improper Memory Handling (pre-26.3)
CVE-2026-20652
7.5 - High
- February 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in macOS Tahoe 26.3, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3, Safari 26.3. A remote attacker may be able to cause a denial-of-service.
Resource Exhaustion
macOS Crash via Improper Memory Handling Fixed in Sequoia 15.7.4
CVE-2026-20605
4.6 - Medium
- February 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Tahoe 26.3, macOS Sonoma 14.8.4. An app may be able to crash a system process.
Buffer Overflow
Apple OS DoS via Malicious File Handling (fixed in 26.3, 14.8.4, 15.7.4, 18.7.5)
CVE-2026-20609
4.4 - Medium
- February 11, 2026
The issue was addressed with improved memory handling. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents.
Out-of-bounds Read
Safari Crash via Malicious Web Content Fixed in 26.3
CVE-2026-20608
5.5 - Medium
- February 11, 2026
This issue was addressed through improved state management. This issue is fixed in macOS Tahoe 26.3, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3, Safari 26.3. Processing maliciously crafted web content may lead to an unexpected process crash.
Allocation of Resources Without Limits or Throttling
Apple OS Logging Leak Fixed in 26.3
CVE-2026-20649
5.5 - Medium
- February 11, 2026
A logging issue was addressed with improved data redaction. This issue is fixed in watchOS 26.3, iOS 26.3 and iPadOS 26.3, tvOS 26.3, macOS Tahoe 26.3. A user may be able to view sensitive user information.
Insecure Temporary File
Apple macOS/iOS Logic Issue Fixed 15.7.4/18.7.5/26.3/14.8.4
CVE-2026-20673
5.3 - Medium
- February 11, 2026
A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, macOS Tahoe 26.3, macOS Sonoma 14.8.4. Turning off "Load remote content in messages may not apply to all mail previews.
Directory Path Parsing Issue - Apple OS (pre-26.3,14.8.4,15.7.4,18.7.5)
CVE-2026-20653
5.5 - Medium
- February 11, 2026
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.3, macOS Sonoma 14.8.4, macOS Sequoia 15.7.4, iOS 18.7.5 and iPadOS 18.7.5, visionOS 26.3, iOS 26.3 and iPadOS 26.3. An app may be able to access sensitive user data.
Directory traversal
CVE-2026-20645 UI State Flaw in iOS 26.3 & iPadOS 26.3 (Physical Access)
CVE-2026-20645
4.6 - Medium
- February 11, 2026
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 26.3 and iPadOS 26.3, iOS 18.7.5 and iPadOS 18.7.5. An attacker with physical access to a locked device may be able to view sensitive user information.
Clickjacking
