Description
A race condition was addressed with additional validation. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to access sensitive user data.
Published: 2026-05-11
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition was identified in Apple operating systems that allows an application to read sensitive user data before proper validation. The issue was fixed with additional validation logic in the OS. The vulnerability could enable a malicious or compromised app to access personal information without the user’s intent or permission, constituting a confidentiality breach and possible integrity impact.

Affected Systems

The bug affects Apple iOS, iPadOS, macOS (Sequoia 15.7.x, Sonoma 14.x, Tahoe 26.x), tvOS, visionOS, and watchOS across all versions released prior to the fixed updates. The patch is available in iOS 26.5, iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating an unknown exploitation probability. Based on the description, the most likely attack vector is a malicious or compromised application that can trigger the race condition while accessing private data. Without a public exploit or detailed scoring, defenders should treat the risk as significant, especially in environments where applications have broad data access.

Generated by OpenCVE AI on May 11, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all Apple devices to versions that contain the fix, such as iOS 26.5, iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5.
  • Enable automatic software updates or manually download and install the latest security updates from Apple for all affected products.
  • Restrict application permissions and audit installed apps to ensure they only request data needed for their functionality.

Generated by OpenCVE AI on May 11, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple tvos
Apple visionos
Apple watchos

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Race Condition in Apple OS Enabling Unauthorized Access to Sensitive User Data
Weaknesses CWE-200
CWE-362

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A race condition was addressed with additional validation. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. An app may be able to access sensitive user data.
References

Subscriptions

Apple Ios And Ipados Macos Tvos Visionos Watchos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-11T20:07:40.498Z

Reserved: 2026-03-03T16:36:03.997Z

Link: CVE-2026-28996

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T21:18:59.520

Modified: 2026-05-12T14:13:03.510

Link: CVE-2026-28996

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T00:15:05Z

Weaknesses