Description
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Parsing a maliciously crafted file may lead to an unexpected app termination.
Published: 2026-05-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an out-of-bounds access that arises from deficient bounds checking during file parsing. When a maliciously crafted file is processed, the flaw can cause an unexpected application termination, resulting in a denial-of-service condition. It is an integrity-related weakness that does not grant code execution but can disrupt service availability.

Affected Systems

Apple devices running iOS, iPadOS, macOS (Tahoe), tvOS, visionOS, and watchOS are affected before the 26.5 release. The issue is fixed in iOS 26.5, iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.

Risk and Exploitability

The CVSS score is 6.5, and the EPSS score is <1%, indicating a low exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread use of an exploit. The flaw requires a malicious file to be parsed, so the likely attack vector is a local or externally supplied file that the user opens or the system processes. While no active exploit is documented, the risk is primarily a local denial-of-service that can affect user experience and potentially business operations that rely on the impacted applications.

Generated by OpenCVE AI on May 13, 2026 at 00:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to iOS, iPadOS, macOS, tvOS, visionOS, and watchOS 26.5 or later to receive the patch that adds proper bounds checking.
  • After updating, refrain from opening files that have been crafted or distributed by untrusted sources until the security update is applied.
  • Implement file handling policies or security controls that quarantine or otherwise prevent execution of files that could trigger the crash until they are verified to be safe.

Generated by OpenCVE AI on May 13, 2026 at 00:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds File Parsing Causing App Termination in Apple Operating Systems

Tue, 12 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Memory Access in File Parsing Causes App Termination
Weaknesses CWE-122
CWE-190

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-787
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos

Mon, 11 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title Out‑of‑Bounds Memory Access in File Parsing Causes App Termination
Weaknesses CWE-122
CWE-190

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Parsing a maliciously crafted file may lead to an unexpected app termination.
References

Subscriptions

Apple Ios And Ipados Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-12T18:30:41.505Z

Reserved: 2026-03-03T16:36:03.985Z

Link: CVE-2026-28918

cve-icon Vulnrichment

Updated: 2026-05-12T18:06:15.718Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T21:18:54.210

Modified: 2026-05-12T19:16:29.627

Link: CVE-2026-28918

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:30:28Z

Weaknesses