A mail header parsing issue was discovered that allows malformed headers to trigger an unhandled state in the mail processing engine, potentially causing the device or application to become unresponsive. The vulnerability can lead to a persistent denial‑of‑service condition, disrupting normal mail operations without necessarily compromising data confidentiality. The weakness corresponds to CWE‑20 (Input Validation).

Apple operating systems—iOS, iPadOS, macOS, visionOS, and watchOS—are affected. The issue is resolved in iOS 18.7.2, iOS 26.1, iPadOS 18.7.2, iPadOS 26.1, macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1, visionOS 26.1, and watchOS 26.1. Systems running any earlier build of these OS families are potentially vulnerable.

The CVSS score of 7.5 indicates high impact; the EPSS score of less than 1% suggests a currently low probability of exploitation, and the vulnerability is not listed in CISA KEV, implying no publicly known exploits. Based on the description, the likely attack vector involves delivering a maliciously crafted email that includes malformed headers to the target device’s mail application, which then enters an unrecoverable state and requires a restart. This scenario requires prior network access to the target to inject the problematic email, but the exploit does not rely on network attack surface beyond mail delivery and can be performed by any sender with the ability to target a device on a network or via an open mail relay.