CVE-2026-28936
Description
The issue was addressed with improved checks. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sonoma 14.8.7, macOS Tahoe 26.5, visionOS 26.5. Processing a maliciously crafted file may lead to unexpected app termination.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Processing a maliciously crafted file may cause unexpected app termination due to an out-of-bounds read in Apple operating systems.
Vulnerability
Overview
CVE-2026-28936 is an out-of-bounds read vulnerability in Apple's core file processing logic. The issue was addressed with improved bounds checking in affected operating systems [1][2][3]. The root cause is a failure to properly validate memory boundaries when handling crafted files, leading to a read beyond the allocated buffer.
Exploitation
An attacker can trigger this vulnerability by delivering a maliciously crafted file to the target device. No special privileges are required beyond the ability to open the file in an application that processes it. The attack surface includes any application that handles untrusted file data, such as document viewers, media players, or system services.
Impact
Successful exploitation results in unexpected app termination, causing a denial-of-service condition. The impact. The vulnerability does not appear to allow arbitrary code execution or data exfiltration based on available information. The impact is consistent across all affected platforms: iOS, iPadOS, macOS, and visionOS [1][2][3].
Mitigation
Apple has released patches in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sonoma 14.8.7, macOS Tahoe 26.5, and visionOS 26.5 [1][2][3][4]. Users should update their devices to the latest available versions. No workarounds have been published.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Range: = Sonoma 14.8.7, = Tahoe 26.5
- Range: = 18.7.9, = 26.5
- Range: = 26.5
- Range: = 18.7.9, = 26.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- support.apple.com/en-us/127110nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127111nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127115nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127117nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127120nvdRelease NotesVendor Advisory
News mentions
1- Apple Patches Everything, (Mon, May 11th)SANS Internet Storm Center · May 11, 2026