Description
A resource exhaustion issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4. A remote attacker may be able to cause a denial-of-service.
Published: 2026-05-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a resource exhaustion flaw that occurs because of insufficient input validation. When exploited, a remote attacker can cause a device to become unresponsive or crash, effectively denying availability. The flaw is aggravated by the system’s inability to limit the resources consumed by malformed or overly large inputs, leading to denial of service.

Affected Systems

Apple iOS and iPadOS devices running versions older than iOS 18.7.9, iOS 26.4, iPadOS 18.7.9 or iPadOS 26.4 are affected. These systems are vulnerable to the resource exhaustion issue until patched.

Risk and Exploitability

Based on the description, it is inferred that local privileges are not required; a remote attacker who can reach the vulnerable component may trigger the exception. The CVSS score of 7.5 indicates a high severity, while the EPSS score of <1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA KEV, indicating that widespread exploitation has not yet been observed. Nevertheless, a remote adversary could send crafted input to initiate a denial of service.

Generated by OpenCVE AI on May 12, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a software update to iOS 18.7.9 or newer, iOS 26.4 or newer, iPadOS 18.7.9 or newer, or iPadOS 26.4 or newer, which contain the fix for the input validation issue.
  • If an update cannot be applied immediately, enforce application or network‑level restrictions to reduce exposure to the vulnerable component, such as limiting inbound traffic or applying stricter input validation on any custom services.
  • Monitor device memory and resource usage, and implement process isolation or limits to prevent a single process from exhausting resources; plan for rapid reboots or process restarts when the device becomes unresponsive.

Generated by OpenCVE AI on May 12, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Remote Resource Exhaustion Denial-of-Service in iOS and iPadOS

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Remote Resource Exhaustion Denial-of-Service in iOS and iPadOS
Weaknesses CWE-400

Mon, 11 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Vendors & Products Apple
Apple ios And Ipados

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A resource exhaustion issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.4 and iPadOS 26.4. A remote attacker may be able to cause a denial-of-service.
References

Subscriptions

Apple Ios And Ipados
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-12T18:17:47.133Z

Reserved: 2026-03-03T16:36:03.974Z

Link: CVE-2026-28872

cve-icon Vulnrichment

Updated: 2026-05-12T18:16:36.915Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T21:18:51.977

Modified: 2026-05-12T19:16:29.303

Link: CVE-2026-28872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:30:05Z

Weaknesses