CVE-2026-28940
Description
The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5. Processing a maliciously crafted image may corrupt process memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Processing a maliciously crafted image may corrupt process memory in Apple iOS, iPadOS, macOS, tvOS, and visionOS, addressed with improved memory handling.
Root
Cause
CVE-2026-28940 is a memory corruption vulnerability affecting multiple Apple operating systems. The issue was introduced during processing of a maliciously crafted image and could corrupt process memory. The fix was implemented with improved memory handling.
Exploitation
Attackers can exploit this vulnerability by inducing the target to open a specially crafted image file. No additional privileges or specific network position are required beyond the ability to deliver the image to the device (e.g., via a website, email, or message). The vulnerability exists in the core image-processing pipeline across several platforms.
Impact
The impact varies by platform. Official advisories list the impact as either an app being able to cause a denial-of-service (iOS 26.5, macOS Tahoe, visionOS) or an app being able to access sensitive user data (iOS 18.7.9 and iPadOS 18.7.9) [2][3][4]. The root cause in memory corruption is consistent with out-of-bounds read vulnerabilities, as noted in related advisories [1][2][3].
Mitigation
Apple has released patches in the following versions: iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Tahoe 26.5, tvOS 26.5, and visionOS 26.5 [1][2][3][4]. Users should update to the latest available versions. No workarounds have been disclosed, and the vendor does not appear on CISA's Known Exploited Vulnerabilities catalog at the time of this writing.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- Range: = 26.5
- Range: = 15.7.7
- Range: = 18.7.9, = 26.5
- Range: = 26.5
- Range: = 18.7.9, = 26.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- support.apple.com/en-us/127110nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127111nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127115nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127116nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127118nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127120nvdRelease NotesVendor Advisory
News mentions
2- ZDI-26-314: Apple macOS USD File Parsing Out-Of-Bounds Write Remote Code Execution VulnerabilityZero Day Initiative · May 12, 2026
- Apple Patches Everything, (Mon, May 11th)SANS Internet Storm Center · May 11, 2026