CVE-2026-28990
Description
The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. Processing a maliciously crafted image may corrupt process memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory corruption vulnerability in Apple image processing allows denial-of-service via a crafted image, patched in multiple OS updates.
Vulnerability
Description CVE-2026-28990 is an out-of-bounds read vulnerability in Apple's image processing code. The issue arises when handling malformed image data, leading to memory corruption. The root cause is insufficient bounds checking during image parsing, which was addressed with improved memory handling [1][2].
Exploitation
An attacker can trigger this vulnerability by convincing a user to open a specially crafted image file. No authentication is required, and the attack can be delivered remotely via web pages, emails, or messaging apps. The vulnerability does not require kernel privileges and can be exploited by a user-level app [1][2].
Impact
Successful exploitation may allow an app to cause a denial-of-service (DoS) by corrupting process memory. This can lead to application crashes or system instability. The vulnerability is rated High with a CVSS v3 base score of 7.5 [1][2][3][4].
Mitigation
Apple has released patches for iOS 26.5, iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. Users should update their devices as soon as possible. No workarounds are documented [1][2][3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 15.7.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- support.apple.com/en-us/127110nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127115nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127116nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127117nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127118nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127119nvdRelease NotesVendor Advisory
- support.apple.com/en-us/127120nvdRelease NotesVendor Advisory
News mentions
1- Apple Patches Everything, (Mon, May 11th)SANS Internet Storm Center · May 11, 2026