Description
A race condition was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access sensitive user data.
Published: 2026-05-11
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition was detected in several Apple operating systems. The flaw allows an application to read sensitive user data that it should not be able to access. The issue was addressed by adding further validation, and it is fixed in particular OS releases. The primary consequence is that a malicious or compromised app could gain visibility into protected information.

Affected Systems

Apple iOS versions 18.7.9 and 26.5, Apple iPadOS versions 18.7.9 and 26.5, Apple macOS Sequoia 15.7.7, Apple macOS Sonoma 14.8.7, Apple macOS Tahoe 26.5, and Apple visionOS 26.5 are the affected releases. The fixes are included in the corresponding updates for each OS.

Risk and Exploitability

The CVSS score is 4.7, indicating moderate severity, and the EPSS score is < 1%, suggesting low exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector would be through a local or user‑installed application that triggers the race condition. The impact could be significant loss of confidentiality, but the low EPSS score mitigates the immediacy of threat. Nevertheless, proactive patching is advised to prevent potential exploitation of the race condition when operating system threads are not adequately synchronized.

Generated by OpenCVE AI on May 12, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest OS update that includes the fix (Apple iOS 18.7.9, iOS 26.5, iPadOS 18.7.9, iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, or visionOS 26.5).
  • Use device management or MDM profiles to restrict the installation of applications to trusted sources and enforce sandboxing and privacy settings.
  • Enforce Apple’s App Sandbox guidelines to limit background data access for apps that handle sensitive information.

Generated by OpenCVE AI on May 12, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple ipados
Apple iphone Os

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Title Race Condition Allowing Apps to Access Sensitive User Data in Apple OSes

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title Race Condition Allowing Apps to Access Sensitive User Data in Apple OSes
Weaknesses CWE-1133

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios And Ipados
Apple macos
Apple visionos
Vendors & Products Apple
Apple ios And Ipados
Apple macos
Apple visionos

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description A race condition was addressed with additional validation. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. An app may be able to access sensitive user data.
References

Subscriptions

Apple Ios And Ipados Ipados Iphone Os Macos Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-05-12T13:02:13.066Z

Reserved: 2026-05-01T22:46:21.639Z

Link: CVE-2026-43659

cve-icon Vulnrichment

Updated: 2026-05-12T13:02:02.359Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T21:19:01.590

Modified: 2026-05-12T17:51:37.980

Link: CVE-2026-43659

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T15:45:06Z

Weaknesses