Description
A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 26.4 and iPadOS 26.4. A remote attacker may be able to cause a denial-of-service.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

A buffer overflow that can be triggered remotely by writing data beyond the intended bounds, leading to unmanaged memory corruption. The flaw can crash the operating system, resulting in a denial‑of‑service. It is classified as CWE‑120, a buffer copy without proper bounds checks. The key consequence is that any affected device would become unusable until reboot or patch, impacting availability.

Affected Systems

Apple iOS and iPadOS devices running versions prior to 26.4 are affected. The vulnerability is fixed in iOS 26.4 and iPadOS 26.4. Devices with later or updated firmware are not vulnerable.

Risk and Exploitability

With a CVSS score of 7.5 the severity is high, while the EPSS score is below 1 % indicating a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is remote and can lead to a critical denial‑of‑service, any device running the affected OS should be patched as soon as possible. The exploit path requires a remote trigger; specific details are not provided but the attack vector is inferred to be remote based on the description.

Generated by OpenCVE AI on March 25, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device to iOS 26.4 or iPadOS 26.4 immediately.

Generated by OpenCVE AI on March 25, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://support.apple.com/en-us/126792 cve-icon cve-icon
History

Wed, 25 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Vendors & Products Apple
Apple ios And Ipados

Wed, 25 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 26.4 and iPadOS 26.4. A remote attacker may be able to cause a denial-of-service.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:19:26.961Z

Reserved: 2026-03-03T16:36:03.974Z

Link: CVE-2026-28875

cve-icon Vulnrichment

Updated: 2026-03-25T14:49:35.274Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T01:17:11.307

Modified: 2026-03-25T18:28:51.183

Link: CVE-2026-28875

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:16:41Z

Weaknesses