Description
This issue was addressed through improved state management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An attacker may be able to track users through their IP address.
Published: 2026-05-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises from improper state management in Apple operating systems, causing the device’s IP address to become exposed to an attacker. This exposure enables passive monitoring of the user’s activity or location without granting direct control over the device. The weakness is classified as CWE-359, an information exposure vulnerability that leads to unintended disclosure of sensitive data during transmission.

Affected Systems

Apple iOS, iPadOS, macOS, and visionOS versions existing before 18.7.9, 26.5, 15.7.7, 14.8.7, 26.5, and 26.5 respectively are affected; the listed newer releases contain the fix.

Risk and Exploitability

The CVSS score is 7.5 and the EPSS score is less than 1%; the flaw is not included in the CISA KEV catalog. The likely attack vector is passive observation of network traffic or the device’s state changes, inferred from the description that an attacker may track users by IP address. Exploitation does not appear to require privileged access or active interaction, so the practical likelihood remains low to moderate, but the persistent risk of privacy compromise warrants timely patching.

Generated by OpenCVE AI on May 12, 2026 at 23:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update all affected Apple devices to at least iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, or visionOS 26.5, which resolve the CWE‑359 state‑management flaw.
  • Apply network restrictions by disabling unused services or configuring a firewall to block outbound traffic to untrusted destinations, reducing risk from the information‑exposure weakness.
  • As a temporary safeguard, route device traffic through a VPN or proxy to conceal the IP address until the patch is applied, mitigating the potential data leakage caused by CWE‑359.

Generated by OpenCVE AI on May 12, 2026 at 23:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title IP Address Exposure via Improper State Management

Tue, 12 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title IP Address Tracking via State Management Flaw
Weaknesses CWE-200

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-359
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title IP Address Tracking via State Management Flaw
Weaknesses CWE-200

Mon, 11 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple visionos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple visionos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed through improved state management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An attacker may be able to track users through their IP address.
References

Subscriptions

Apple Ios And Ipados Macos Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-12T17:48:44.294Z

Reserved: 2026-03-03T16:36:03.984Z

Link: CVE-2026-28906

cve-icon Vulnrichment

Updated: 2026-05-12T17:48:33.868Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T21:18:53.403

Modified: 2026-05-12T18:16:48.070

Link: CVE-2026-28906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:00:17Z

Weaknesses