Description
An out-of-bounds read was addressed with improved input validation. This issue is fixed in Pages 15.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1. Processing a maliciously crafted Pages document may result in unexpected termination or disclosure of process memory.
Published: 2026-01-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory disclosure or application crash
Action: Apply Update
AI Analysis

Impact

An out‑of‑bounds read was discovered in Apple Pages and several Apple operating systems. The flaw permits a process that parses a maliciously crafted Pages document to read data beyond its intended buffer. The unintended read can cause the application to terminate unexpectedly or expose portions of the process memory, potentially leaking sensitive information. The weakness corresponds to CWE‑125, confirming a lack of proper bounds checking.

Affected Systems

The vulnerability targets Apple Pages as well as the iOS, iPadOS, and macOS operating systems. The issue is resolved in Pages 15.1, iOS 26.1, iPadOS 26.1, and macOS Tahoe 26.1. Any earlier releases of these products are therefore susceptible, although the CVE does not list specific pre‑patch versions.

Risk and Exploitability

The CVSS score of 4.3 classifies this vulnerability as moderate, and the EPSS score of less than 1% indicates a very low likelihood of exploitation at the time of this analysis. It is not included in the CISA KEV catalog. The attack vector is inferred to be local: a malicious Pages document must be opened by a user or processed by a third‑party application that handles such files. No additional environmental prerequisites are specified in the CVE data.

Generated by OpenCVE AI on April 27, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Pages 15.1, iOS 26.1, iPadOS 26.1, and macOS Tahoe 26.1.
  • If an update cannot be applied immediately, do not open or execute unknown Pages files.
  • Ensure your device receives future Apple security updates by keeping the system external sources enabled.

Generated by OpenCVE AI on April 27, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Read in Apple Pages and Apple OS Leading to Application Crash or Memory Disclosure

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 26.1 and iPadOS 26.1, Pages 15.1, macOS Tahoe 26.1. Processing a maliciously crafted Pages document may result in unexpected termination or disclosure of process memory. An out-of-bounds read was addressed with improved input validation. This issue is fixed in Pages 15.1, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1. Processing a maliciously crafted Pages document may result in unexpected termination or disclosure of process memory.

Fri, 30 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple iphone Os
Apple macos
CPEs cpe:2.3:a:apple:pages:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple iphone Os
Apple macos

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Apple ipados
Apple macos Tahoe
Apple pages
Vendors & Products Apple
Apple ios
Apple ipados
Apple macos Tahoe
Apple pages

Wed, 28 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 17:45:00 +0000

Type Values Removed Values Added
Description An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 26.1 and iPadOS 26.1, Pages 15.1, macOS Tahoe 26.1. Processing a maliciously crafted Pages document may result in unexpected termination or disclosure of process memory.
References

Subscriptions

Apple Ios Ipados Iphone Os Macos Macos Tahoe Pages
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:17:30.165Z

Reserved: 2025-04-22T21:13:49.961Z

Link: CVE-2025-46316

cve-icon Vulnrichment

Updated: 2026-01-28T19:19:20.350Z

cve-icon NVD

Status : Modified

Published: 2026-01-28T18:16:49.350

Modified: 2026-04-02T19:21:06.770

Link: CVE-2025-46316

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:15:05Z

Weaknesses