Description
An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. Parsing a maliciously crafted file may lead to an unexpected app termination.
Published: 2026-05-11
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The issue is an out‑of‑bounds write triggered when the operating system parses a maliciously crafted file. This causes an unexpected application termination, effectively denying service to that app. The flaw is a buffer overrun, identified as CWE‑787. The denial of service occurs locally and no remote code execution is disclosed.

Affected Systems

Affected Apple platforms include iOS and iPadOS versions prior to iOS 18.7.9, iPadOS 18.7.9, iOS 26.5, iPadOS 26.5, and macOS Sequoia older than 15.7.7, macOS Sonoma older than 14.8.7, and macOS Tahoe older than 26.5. The problem appears only before these specific patch releases.

Risk and Exploitability

Because the EPSS score is <1% and the vulnerability is not listed in the CISA KEV catalog, the public exploitation probability is unclear, but the nature of the flaw suggests it could be triggered by an attacker who can place a crafted file on the device. The lack of evidence of remote exploitation and the requirement to parse a file indicate a local attack vector. The CVSS score of 7.3 indicates a high severity, and the impact of a denial of service may be significant for applications that must remain available.

Generated by OpenCVE AI on May 12, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest supported iOS, iPadOS, and macOS releases that contain the patch (≥ iOS 18.7.9, ≥ iPadOS 18.7.9, ≥ macOS Sequoia 15.7.7, ≥ macOS Sonoma 14.8.7, ≥ macOS Tahoe 26.5).
  • If immediate upgrade is not possible, avoid opening or executing files that appear suspicious and restrict the installation of apps from untrusted sources.
  • Continuously monitor system logs for abrupt application crashes and investigate any sudden terminations that may indicate exploitation attempts.

Generated by OpenCVE AI on May 12, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Write Causes App Crash via Malicious File

Tue, 12 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Write Causing Application Crashes on Apple Devices
Weaknesses CWE-119

Tue, 12 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Mon, 11 May 2026 23:30:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Write Causing Application Crashes on Apple Devices
Weaknesses CWE-119

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Vendors & Products Apple
Apple ios And Ipados
Apple macos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. Parsing a maliciously crafted file may lead to an unexpected app termination.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-12T17:22:14.990Z

Reserved: 2026-05-01T22:46:21.639Z

Link: CVE-2026-43656

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T21:19:01.380

Modified: 2026-05-13T14:06:59.377

Link: CVE-2026-43656

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:30:05Z

Weaknesses