Description
The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
Published: 2026-05-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient input validation when a device processes web content that has been deliberately malformed, a weakness identified as CWE-20 (Improper Input Validation). If triggered, the device’s process terminates unexpectedly, interrupting normal operation. This leads to a denial of service rather than code execution or data leakage.

Affected Systems

Affected devices include Apple iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The fix is delivered in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.

Risk and Exploitability

The CVSS score of 4.3, EPSS score of <1%, and the absence from CISA's KEV list indicate a moderate severity and low exploitation probability. The issue requires processing of maliciously crafted web content, which suggests the attack vector involves either local access to such content or exposure through a web service on the device. While the vulnerability does not provide code execution, it can cause repeated crashes, creating a significant availability risk especially for services relying on uninterrupted web content processing. Since exploitation requires the presence of the malformed content, the likelihood of attack remains moderate but the impact on affected systems is high for denial of service scenarios.

Generated by OpenCVE AI on May 12, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OS updates that include the fix for iOS, iPadOS, macOS, tvOS, visionOS, or watchOS.
  • Implement a web content filtering solution to block or sanitize malicious pages before they reach the device.
  • Adjust system or application settings to restrict or disable web components that handle untrusted input, such as disabling specific web engines or features if supported.

Generated by OpenCVE AI on May 12, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Malicious Web Content Can Trigger Unexpected Process Crashes via Improper Input Validation

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing maliciously crafted web content may lead to an unexpected process crash.
References

Subscriptions

Apple Ios And Ipados Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-12T18:11:41.055Z

Reserved: 2026-03-03T16:36:03.985Z

Link: CVE-2026-28917

cve-icon Vulnrichment

Updated: 2026-05-12T18:11:31.640Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T21:18:54.110

Modified: 2026-05-12T19:16:29.460

Link: CVE-2026-28917

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:30:25Z

Weaknesses