Description
A denial-of-service issue was addressed with improved input validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4. An attacker in a privileged network position may be able to cause a denial-of-service.
Published: 2026-05-11
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in input validation can cause the operating system to crash, leading to a denial‑of‑service. The deficiency is believed to allow an attacker with a privileged network position to send crafted data that triggers the crash, causing the device to become unresponsive until restarted. No higher‑level privileges or code execution are required, so the impact is limited to loss of availability for the affected device.

Affected Systems

Apple iOS and iPadOS devices running software versions earlier than iOS 18.7.7 or 26.4 and iPadOS 18.7.7 or 26.4 are affected. This includes all releases prior to those fixes.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity; the EPSS score of < 1% indicates a very low probability of exploitation. The CVE is not listed in the CISA KEV catalog. Attackers require a privileged network position to deliver the malicious input, suggesting that the threat is primarily relevant to environments where devices are exposed to internal or custom networks rather than the general internet.

Generated by OpenCVE AI on May 12, 2026 at 22:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iOS or iPadOS device to at least iOS 18.7.7 or 26.4, the latest patch that addresses the denial‑of‑service flaw.
  • Limit the exposure of the device to internal or custom networks; ensure only trusted devices can communicate with it from privileged positions.
  • Deploy network security controls to detect and block malformed input packets that could trigger the crash, such as anomalous application traffic or repeated attempts to send incorrect data structures.

Generated by OpenCVE AI on May 12, 2026 at 22:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 23:15:00 +0000

Type Values Removed Values Added
Title Denial‑of‑Service via Improper Input Validation in iOS/iPadOS

Tue, 12 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Denial-of-Service Vulnerability in iOS and iPadOS Due to Improper Input Validation
Weaknesses CWE-20

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Denial-of-Service Vulnerability in iOS and iPadOS Due to Improper Input Validation
First Time appeared Apple
Apple ios And Ipados
Weaknesses CWE-20
Vendors & Products Apple
Apple ios And Ipados

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A denial-of-service issue was addressed with improved input validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4. An attacker in a privileged network position may be able to cause a denial-of-service.
References

Subscriptions

Apple Ios And Ipados
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-12T17:25:04.049Z

Reserved: 2026-03-03T16:36:03.992Z

Link: CVE-2026-28967

cve-icon Vulnrichment

Updated: 2026-05-12T17:24:59.640Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T21:18:57.600

Modified: 2026-05-12T18:16:49.117

Link: CVE-2026-28967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:00:12Z

Weaknesses