CVE-2026-28977

CVE-2026-28977 is an out-of-bounds read vulnerability in Apple's operating systems. The bug resides in how the system handles file parsing; insufficient bounds checking can lead to reading beyond allocated memory. This issue affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS across various versions [1][2][3].

Exploitation requires an attacker to deliver a maliciously crafted file to the target device. The file can be processed by any application that handles the vulnerable file type, potentially without user interaction beyond opening or receiving the file. No special privileges or network position is needed, as the file could arrive via email, web download, or other means.

Successful exploitation causes unexpected app termination, resulting in a denial-of-service condition. The impact is limited to the app's process termination; there is no evidence of arbitrary code execution or data disclosure from the available sources.

Apple has addressed the vulnerability with improved bounds checking in the following updates: iOS 26.5 and iPadOS 26.5, iOS 18.7.9 and iPadOS 18.7.9, macOS Tahoe 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, tvOS 26.5, visionOS 26.5, and watchOS 26.5. Users are strongly advised to apply these patches to mitigate the risk.